Full Disclosure mailing list archives
Re: Re: It's not that simple...
From: "Kurt Seifried" <listuser () seifried org>
Date: Wed, 17 Aug 2005 15:49:32 -0600
Actually it really is that simple. Disabling Null sessions is entirely possible, quite easy, and doesn't break a lot (at least in my previous testing years ago it didn't break anything noticeable). Can people please do a little research before posting emails with incorrect information or simple guesses/etc. Microsoft.com has a pretty good search engine now, there is of course google, and other resources as well. I suppose this is why I run a moderated subset of this list, less crap, more information.
For more in depth articles see the end of this posting. =========== For a good description of how to disable them/etc: http://mit.edu/pismere/support/for-cont-admins/null-session-info.html "Settings in Windows 2000Windows 2000 machines have a single registry value HKLM\System\CurrentControlSet\Control\Lsa\RestrictAnonymous which controls this behavior. This is a DWORD value which be set to either zero (0), one (1), or two (2):
a.. When RestrictAnonymous is set to 0 (or does not exist), no restrictions are placed on null sessions. This is the factory-default setting. b.. When RestrictAnonymous is set to 1, SAM accounts and shares cannot be enumerated by null sessions. c.. When RestrictAnonymous is set to 2, null sessions have no access without explicit anonymous permissions. When you edit a group policy object from a Windows 2000 machine, there is a setting located under Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options called Additional restrictions for anonymous connections. If you enable this setting, you are given three choices, which cause the machines affected by the group policy object to set their HKLM\System\CurrentControlSet\Control\Lsa\RestrictAnonymous in the following way: a.. If you select "None. Rely on default permissions", affected machines set RestrictAnonymous to 0. b.. If you select "Do not allow enumeration on SAM accounts and shares", affected machines set RestrictAnonymous to 1. c.. If you select "No access without explicit anonymous permissions", affected machines set RestrictAnonymous to 2. If you only have Windows 2000 machines in your container, this makes sense, because the machines affected by your group policy object will all behave appropriately when HKLM\System\CurrentControlSet\Control\Lsa\RestrictAnonymous is set this way. Unfortunately, any Windows XP and Server 2003 machines in your container will also receive these registry settings, which may not be the effect you intended. "
===========In depth (several pages) article on "The NULL session and the Guest account"
http://www.microsoft.com/msj/0299/security/security0299.aspx =========== An MSDN article: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/xpehelp/html/xeconreducenullsessionvulnerability.asp"When a program or service is started by using the System user account, the service logs on with null credentials. This can be a potential security risk, because it allows for an unauthenticated log on to the system. A hacker or worm can exploit this vulnerability and potentially access sensitive data on the system.
The simplest way to reduce null session vulnerability is to disable NetBios and verify that ports 139 and 445 are closed.
However, if your run-time image requires NetBIOS, you can control null session access by editing the following registry key to restrict anonymous access to sensitive data:
Key Name: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA Value Name: RestrictAnonymous Type: DWORD Value: 0The default value of this key is 0. Changing this value to 1 blocks enumeration of SAM and user accounts, and prohibits a null session from seeing user accounts and admin shares. A value of 2 disables null session access without explicit permissions. Changing this value to 2 may conflict with some applications that rely on null sessions.
After you change the registry data, reboot your run-time images and test your applications to verify that they work with restricted null session access."
=========== I think this should about cover it. -Kurt Seifried http://seifried.org/freescan2/ https://lists.seifried.org/mailman/listinfo/security _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: It's not that simple... [Was: Re: Disney Down?], (continued)
- Re: It's not that simple... [Was: Re: Disney Down?] Micheal Espinola Jr (Aug 17)
- Re: It's not that simple... [Was: Re: Disney Down?] Ron DuFresne (Aug 17)
- Re: It's not that simple... [Was: Re: Disney Down?] fd (Aug 18)
- Re: It's not that simple... [Was: Re: Disney Down?] Nick FitzGerald (Aug 18)
- Re: It's not that simple... [Was: Re: Disney Down?] Ron DuFresne (Aug 22)
- Re: It's not that simple... [Was: Re: Disney Down?] James Tucker (Aug 19)
- Re: It's not that simple... [Was: Re: Disney Down?] Barrie Dempster (Aug 19)
- Re: Re: It's not that simple... Jason Coombs (Aug 17)
- Re: Re: It's not that simple... Kurt Seifried (Aug 17)
- Re: Re: It's not that simple... Micheal Espinola Jr (Aug 17)
- Re: Re: It's not that simple... Jason Coombs (Aug 17)
- Re: Re: It's not that simple... yossarian (Aug 17)
- NULL sessions on Windows 2000 systems [Was: Re: Re: It's not that simple...] Jean-Baptiste Marchand (Aug 18)
- Re: NULL sessions on Windows 2000 systems [Was: Re: [Full-disclosure] Re:It's not that simple...] yossarian (Aug 18)