Disabling of NULL shares on W2K DCs

  • Thread starter Thread starter Ping
  • Start date Start date
P

Ping

Does anyone know how to disable null sessions on domain
controllers?

Our auditors told us to turn off
nullsessionpipes\nullsessionshares on our domain
controllers.

But they didn't tell us what values to set them to.
Would anyone know?

Thanks!
 
Apparently they don't know how to do it. Kind of like going to a doctor and he tells
you that you are sick but not what to do.

Here is a KB that discusses the use of those a bit.

http://support.microsoft.com/default.aspx?kbid=289655

There is a setting in Domain Controller Security Policy security options for
additional restrictions for anonymous connection that if you set to no access without
explicit anonymous permissions will disable the ability to use null shares/named
pipes HOWEVER this can break things in a domain and cause problems with downlevel
trusts, network browsing, and even changing passwords before logging on particularly
if downlevel [NT, W9X] and even XP Pro computers are used. I wonder if they knew that
before they told you to turn it off. The KB below explains restricting anonymous
access and the possible ramifications.

http://support.microsoft.com/?kbid=246261 -- pay attention to "The following tasks
are restricted when the RestrictAnonymous registry value is set to 2 on a Windows
2000-based domain controller"

The Windows 2000 Security Hardening Guide also has more info on W2K security,
including recommendations for specific networking configurations. --- Steve

http://www.microsoft.com/technet/Security/prodtech/win2000/win2khg/05sconfg.mspx --
chapter 5 W2SHG.
 
Thanks Steve,
there was a paragraph in the Windows Server Hardening
guide that covered dsiabling nullsessionhares and
nullsessionpipes that was helpful.

I don't know about that restricting anonymous access KB
article tho, that looks scary.

-----Original Message-----
Apparently they don't know how to do it. Kind of like going to a doctor and he tells
you that you are sick but not what to do.

Here is a KB that discusses the use of those a bit.

http://support.microsoft.com/default.aspx?kbid=289655

There is a setting in Domain Controller Security Policy security options for
additional restrictions for anonymous connection that if you set to no access without
explicit anonymous permissions will disable the ability to use null shares/named
pipes HOWEVER this can break things in a domain and cause problems with downlevel
trusts, network browsing, and even changing passwords before logging on particularly
if downlevel [NT, W9X] and even XP Pro computers are
Click to expand...
used. I wonder if they knew that
before they told you to turn it off. The KB below explains restricting anonymous
access and the possible ramifications.

http://support.microsoft.com/?kbid=246261 -- pay
Click to expand...
attention to "The following tasks
 
Ok. Glad you found out what you needed. The W2KSHG is a pretty good resource. As far
as "additional restrictions for anonymous connections" the setting for "do not allow
enumeration of sam account and shares" [ same as registry setting of 1 ] is usually
safe to implement and very similar to how Windows 2003 Server is configured to
restrict anonymous access. --- Steve


Ping said:
Thanks Steve,
there was a paragraph in the Windows Server Hardening
guide that covered dsiabling nullsessionhares and
nullsessionpipes that was helpful.

I don't know about that restricting anonymous access KB
article tho, that looks scary.

-----Original Message-----
Apparently they don't know how to do it. Kind of like going to a doctor and he tells
you that you are sick but not what to do.

Here is a KB that discusses the use of those a bit.

http://support.microsoft.com/default.aspx?kbid=289655

There is a setting in Domain Controller Security Policy security options for
additional restrictions for anonymous connection that if you set to no access without
explicit anonymous permissions will disable the ability to use null shares/named
pipes HOWEVER this can break things in a domain and cause problems with downlevel
trusts, network browsing, and even changing passwords before logging on particularly
if downlevel [NT, W9X] and even XP Pro computers are
Click to expand...
used. I wonder if they knew that
before they told you to turn it off. The KB below explains restricting anonymous
access and the possible ramifications.

http://support.microsoft.com/?kbid=246261 -- pay
Click to expand...
attention to "The following tasks
are restricted when the RestrictAnonymous registry value is set to 2 on a Windows
2000-based domain controller"

The Windows 2000 Security Hardening Guide also has more info on W2K security,
including recommendations for specific networking configurations. --- Steve

http://www.microsoft.com/technet/Security/prodtech/win2000 /win2khg/05sconfg.mspx --
chapter 5 W2SHG.




.
Click to expand...
Click to expand...
 
I agree that Restrictanonymous = 1 is usually safe. However, it doesn't
disable null sessions, a lot of useful information can still be enumerated.
You can read an article on this and download the getacct123 tool to see
exactly what data is visible by going to www.securityfriday.com

Using restrictanonymous = 2 breaks some things, most notably if you have any
Win9x, ME or NT clients or servers requiring authentication.

Note that Windows 2000 is the ONLY OS that uses Restrictanonymous = 2.
Windows 2003 and XP only give you options of 0 and 1, and use a second
registry value called RestrictAnonymousSAM that can also either be 0 or 1.



Steven L Umbach said:
Ok. Glad you found out what you needed. The W2KSHG is a pretty good resource. As far
as "additional restrictions for anonymous connections" the setting for "do not allow
enumeration of sam account and shares" [ same as registry setting of 1 ] is usually
safe to implement and very similar to how Windows 2003 Server is configured to
restrict anonymous access. --- Steve


Ping said:
Thanks Steve,
there was a paragraph in the Windows Server Hardening
guide that covered dsiabling nullsessionhares and
nullsessionpipes that was helpful.

I don't know about that restricting anonymous access KB
article tho, that looks scary.

-----Original Message-----
Apparently they don't know how to do it. Kind of like going to a doctor and he tells
you that you are sick but not what to do.

Here is a KB that discusses the use of those a bit.

http://support.microsoft.com/default.aspx?kbid=289655

There is a setting in Domain Controller Security Policy security options for
additional restrictions for anonymous connection that if you set to no access without
explicit anonymous permissions will disable the ability to use null shares/named
pipes HOWEVER this can break things in a domain and cause problems with downlevel
trusts, network browsing, and even changing passwords before logging on particularly
if downlevel [NT, W9X] and even XP Pro computers are
Click to expand...
used. I wonder if they knew that
before they told you to turn it off. The KB below explains restricting anonymous
access and the possible ramifications.

http://support.microsoft.com/?kbid=246261 -- pay
Click to expand...
attention to "The following tasks
are restricted when the RestrictAnonymous registry value is set to 2 on a Windows
2000-based domain controller"

The Windows 2000 Security Hardening Guide also has more info on W2K security,
including recommendations for specific networking configurations. --- Steve

http://www.microsoft.com/technet/Security/prodtech/win2000 /win2khg/05sconfg.mspx --
chapter 5 W2SHG.

Does anyone know how to disable null sessions on domain
controllers?

Our auditors told us to turn off
nullsessionpipes\nullsessionshares on our domain
controllers.

But they didn't tell us what values to set them to.
Would anyone know?

Thanks!


.
Click to expand...
Click to expand...
Click to expand...
 
Hi Karl.

I wonder why setting of " 2 " was abandoned? My guess is that maybe it resulted in a
lot of support calls from users who implemented it often from security templates
[such as the NSA ones] without investigating the ramifications first or because W2003
offers about six related settings for more granular control of anonymous access
offering almost the same. Interesting enough at least one version of MBSA would
instruct users to implement the " 2 "setting without mentioning any side affects. I
have been playing around with XP SP2 and it actually warns you if you are going to
make a change to a security setting that may cause a conflict with other operating
systems and refers you to a related KB article - very nice! I had most of the
GPO/security policy settings memorized for W2K but now with XP SP2 it is a whole new
game with a mind boggling selection of policy settings. --- Steve


Karl Levinson [x y] mvp said:
I agree that Restrictanonymous = 1 is usually safe. However, it doesn't
disable null sessions, a lot of useful information can still be enumerated.
You can read an article on this and download the getacct123 tool to see
exactly what data is visible by going to www.securityfriday.com

Using restrictanonymous = 2 breaks some things, most notably if you have any
Win9x, ME or NT clients or servers requiring authentication.

Note that Windows 2000 is the ONLY OS that uses Restrictanonymous = 2.
Windows 2003 and XP only give you options of 0 and 1, and use a second
registry value called RestrictAnonymousSAM that can also either be 0 or 1.



Steven L Umbach said:
Ok. Glad you found out what you needed. The W2KSHG is a pretty good resource. As far
as "additional restrictions for anonymous connections" the setting for "do not allow
enumeration of sam account and shares" [ same as registry setting of 1 ] is usually
safe to implement and very similar to how Windows 2003 Server is configured to
restrict anonymous access. --- Steve


Ping said:
Thanks Steve,
there was a paragraph in the Windows Server Hardening
guide that covered dsiabling nullsessionhares and
nullsessionpipes that was helpful.

I don't know about that restricting anonymous access KB
article tho, that looks scary.


-----Original Message-----
Apparently they don't know how to do it. Kind of like
going to a doctor and he tells
you that you are sick but not what to do.

Here is a KB that discusses the use of those a bit.

http://support.microsoft.com/default.aspx?kbid=289655

There is a setting in Domain Controller Security Policy
security options for
additional restrictions for anonymous connection that if
you set to no access without
explicit anonymous permissions will disable the ability
to use null shares/named
pipes HOWEVER this can break things in a domain and cause
problems with downlevel
trusts, network browsing, and even changing passwords
before logging on particularly
if downlevel [NT, W9X] and even XP Pro computers are
used. I wonder if they knew that
before they told you to turn it off. The KB below
explains restricting anonymous
access and the possible ramifications.

http://support.microsoft.com/?kbid=246261 -- pay
attention to "The following tasks
are restricted when the RestrictAnonymous registry value
is set to 2 on a Windows
2000-based domain controller"

The Windows 2000 Security Hardening Guide also has more
info on W2K security,
including recommendations for specific networking
configurations. --- Steve

http://www.microsoft.com/technet/Security/prodtech/win2000
/win2khg/05sconfg.mspx --
chapter 5 W2SHG.

message
Does anyone know how to disable null sessions on domain
controllers?

Our auditors told us to turn off
nullsessionpipes\nullsessionshares on our domain
controllers.

But they didn't tell us what values to set them to.
Would anyone know?

Thanks!


.
Click to expand...
Click to expand...
Click to expand...
 
I think your comment about "granular control" is the key. While
changing these settings every time a new OS is released is annoying, I
would think the advantage to having two different binary values
instead of one multiple choice value is that you can configure each
one independently if you wish.

I'm not sure if that's relevant or meaningful in this current example,
e.g. whether configuring RestrictAnonymousSAM = 1 but
RestrictAnonymous = 0 would make a difference or not.
 
Interestingly I ran a little test. In addition to the tool you mention, Superscan4
from Foundstone can also enumerate using a null session. For W2K a setting of " 2 "
blocks everything, however the setting of " 1 " still allows enumeration of user
accounts, groups, shares, and password/account lockout policy or in other words it
does not prevent anonymous enumeration of sam account and shares as the settings
suggests and as you indicate. Not only does it allow enumeration of users and groups
but gives detailed account properties for the account and groups show group
membership. I could not really find any reason using Supercan4 to use setting " 1 "
over setting " 0 " for W2K while a setting of " 2 " can cause problems in mixed
network configurations. For W2K it seems to be an all or nothing trap.

Windows 2003 however shows that in default security configuration of " do not allow
anonymous enumeration of sam account " it actually works as advertised and I was not
able to obtain and user, group, or password/account policy information - only
enumeration of shares. When I also enabled " do not allow anonymous enumeration of
sam account and sharers" for Windows 2003 I saw no difference and was still able to
enumerate shares though to me that is a lot less important information to an attacker
than detailed user, group, password/account information. --- Steve


Karl Levinson [x y] mvp said:
I think your comment about "granular control" is the key. While
changing these settings every time a new OS is released is annoying, I
would think the advantage to having two different binary values
instead of one multiple choice value is that you can configure each
one independently if you wish.

I'm not sure if that's relevant or meaningful in this current example,
e.g. whether configuring RestrictAnonymousSAM = 1 but
RestrictAnonymous = 0 would make a difference or not.


Steven L Umbach said:
Hi Karl.

I wonder why setting of " 2 " was abandoned? My guess is that maybe it resulted
in a
lot of support calls from users who implemented it often from security templates
[such as the NSA ones] without investigating the ramifications first or because
W2003
offers about six related settings for more granular control of anonymous access
offering almost the same.
Click to expand...
Click to expand...
 
Back
Top