nessus scan

[BOFH]

As a part of our new policy to port scan everything several times a year
using nessus, we have come across a couple of things when scanning our
fully patched windows 2003 enterprise servers:

1. It was possible to log into the remote host using a NULL session. The
concept of a NULL session is to provide a null username and a null password,
which grants the user the 'guest' access.

To prevent null sessions, see MS KB Article Q143474 (NT 4.0) and Q246261
(Windows 2000).
Note that this won't completely disable null sessions, but will prevent them
from connecting to IPC$
Please see http://msgs.securepoint.com/cgi-bin/get/nessus-0204/50/1.html

I have set the restrictanonymous registry key to 1 and 2 (with reboots
between the changes) and every scan I run I always get the above message.
Is there a way to disable 'guest' access? Is there some KB Article I missed
that discusses NULL sessions and windows 2003?

2. How do I disable NULL BIND on my LDAP servers? I am not running
exchange.

Thank you for your time,

BOFH1234

 

[Steven L Umbach]

Null sesions do not really enable guest access to resources. They are used
for various networking processes including maintaining the browse list,
downlevel trusts, and for changing passwords before a user logs onto the
computer in certain cases. Null sessions can allow unuathenticated access to
enumerate share, user, group, and other information. This information can be
used to mount an attack against a computer or a domain though a properly
configured firewall will prevent untrusted networks from obtaining that
information. Null sessions do NOT allow unauthenticated access to data on
shares. Enabling the "guest account" will allow unauthenticated access to
shares that have everyone permissions including ntfs permissions and the
user right to access this computer from the network. The setting of 1 is
good compromise for most domain controllers as 2 will even cause problems
when XP Pro users try to change their domain passwords at logon. Setting it
at 2 may be fine for domain workstations and servers if you are not using
downlevel clients to access those servers. If you have a properly configured
firewall, and account lockout policy, enforce complex passwords, and enable
auditing for account logons events and account management on domain
controllers and logon events on your servers, I would not be too concerned
about leaving null access at 1. I am not that that familair about null
access to ldap. I suggest also posting to the win2000.Active_directory
newsgroup about that issue. --- Steve

http://www.microsoft.com/technet/Security/topics/hardsys/tcg/tcgch05.mspx --
- read more about null/anonymous access at the link including potential
impact.
http://www.microsoft.com/technet/Security/prodtech/win2000/win2khg/05sconfg.
mspx -- and here under additional restrictions for anonymous access under
security options

 

[BOFH]

Thank you for the information. I think that this needs to documented
somewhere in a KB article. This looks like a little change from the way
windows 2000 server did things.

BOFH1234

Null sesions do not really enable guest access to resources. They are used
for various networking processes including maintaining the browse list,
downlevel trusts, and for changing passwords before a user logs onto the
computer in certain cases. Null sessions can allow unuathenticated access to
enumerate share, user, group, and other information. This information can be
used to mount an attack against a computer or a domain though a properly
configured firewall will prevent untrusted networks from obtaining that
information. Null sessions do NOT allow unauthenticated access to data on
shares. Enabling the "guest account" will allow unauthenticated access to
shares that have everyone permissions including ntfs permissions and the
user right to access this computer from the network. The setting of 1 is
good compromise for most domain controllers as 2 will even cause problems
when XP Pro users try to change their domain passwords at logon. Setting it
at 2 may be fine for domain workstations and servers if you are not using
downlevel clients to access those servers. If you have a properly configured
firewall, and account lockout policy, enforce complex passwords, and enable
auditing for account logons events and account management on domain
controllers and logon events on your servers, I would not be too concerned
about leaving null access at 1. I am not that that familair about null
access to ldap. I suggest also posting to the win2000.Active_directory
newsgroup about that issue. --- Steve

http://www.microsoft.com/technet/Security/topics/hardsys/tcg/tcgch05.mspx --

 

[Steven Umbach]

The Threats and Countermeasures guide that I referenced before explains it about
as well as anything I have seen along with reommendations. In W2K there was
basically one configuration setting while Windows 2003 and XP Pro have about
seven settings to restrict anonymous access for more granular control. -- Steve

 

[Joe Richards [MVP]]

NULL BIND which is your question #2 is part of the LDAP V3 standard. You have to
be able to bind in a non-credential to find out what types of security you can
use with an LDAP server.