Null Session Fix not working on Domain Controllers

[Guest]

We have been setting the registry in
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA by setting
RestrictAnonymous to 1 as a standard practice. This prevents usernames and
shares from being enumerated on member servers but on domain controllers we
are still able to enumerate just the usernames. Setting to 2 causes some
applications to fail.

Saw a link to an article in the knowledgebase but it leads to an "article no
longer found".

Suggestions?

Thanks!

 

[Guest]

I think this is relevant link you're probably looking for:

How to Use the RestrictAnonymous Registry Value in Windows 2000
http://support.microsoft.com/default.aspx?kbid=246261

 

[Guest]

Thanks Les. I've seen that particular article. In article 143474 there is a
sentence that says:

830070 Anonymous access using Null Session possible after you configure the
registry to restrict remote access

That is the problem we are experiencing ONLY on domain controllers after
making the registry changes that says specifically "1 Do Not Allow
enumeration of SAM accounts and names". Again, setting it to 2 breaks
internal applications.

Paul

 

[Steven L Umbach]

The "2" setting is not suggested on domain controllers. If you are enforcing
strong passwords on the network, auditing for failed logon attempts, and use
a firewall to protect your network I would not worry about null sessions.
Domain controllers also tend to be master or domain master browsers [pdc
fsmo for sure] and the "2" setting can also cause problems with the browse
list if you use My Network Places. The Windows 2000 Security Hardening
Guide, Windows 2003 Security Guide, and Threats and Countermeasures Guide
have more information and recommendations on that particular security option
and all the others. --- Steve

http://www.infosec.uga.edu/windows.html -- links to Windows Security Guides

 

[Joe Richards [MVP]]

I seem to recall hearing 1 was disallowed on DCs due to breaking things on
clients that use anonymous connections to pull up various security dialog boxes
and such on clients. Completely valid traffic basically.

joe

 

[Karl Levinson, mvp]

We have been setting the registry in
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA by setting
RestrictAnonymous to 1 as a standard practice. This prevents usernames and
shares from being enumerated on member servers but on domain controllers we
are still able to enumerate just the usernames. Setting to 2 causes some
applications to fail.

Actually, I don't think 1 prevents usernames and shares from being
enumerated on any system, as long as you are using the right tool to get
that information. Setting it to 1 breaks some enumeration tools, but not
others. www.securityfriday.com has an article on what this does and does
not do, as well as the excellent getacct tool to test whether this setting
really is preventing enumeration of users on your workstations. The Windows
2000 group policy guide #3 at www.nsa.gov/snac also has a bit of
information.

Note that Restrictanonymous=2 as a setting only exists in Windows 2000. In
NT, XP and 2003, 1 is the highest setting, and in the latter two there is a
second setting called RestrictAnonymousSam that does the rest. You want to
be sure not to apply any group policy templates for, say, Windows 2000, to
any other operating system and vice versa due to changes like this, as the
results can be undesirable.