null session shares

  • Thread starter Thread starter Mike Oliver
  • Start date Start date
M

Mike Oliver

I've been investigating null session shares and I've been confused by
the fact that I seem to be able to create a share and have access to
it from a null session (Local System account from a client machine)
without having to do anything special. Here is my configuration:

Server: Win2K3, RestrictNullSessAccess = 1 (so null session access
should be blocked by default), NullSessionShares = CONCFG, DFS$
(default values), Let Everyone permissions apply to annonymous access
= disabled
Client: WinXP SP2, service process running under the local system
account

Given this configuration, if I create a share and allow the Everyone
group full control, the client service can access the share. From my
understanding, this shouldn't be the case because a null session isn't
part of the Everyone group. I thought I'd have to add the new share to
the NullSessionShares entry. So, I'm confused.

Am I missing something here? Any other registry vaules/local policy
values on the server that can be affecting this?

Thanks,

Mike Oliver
 
Make sure the guest account is disabled on the Windows 2003 Server. If the
guest account is disabled I would be surprised if an anonymous connection
could be made to a share with everyone access, that is not a null session
share. The other thing to try is to enable auditing of logon events on that
server and then look in the security log to see how the user was
authenticated. Also you can use Computer Management/shared folders/sessions
to see how a user is accessing a computer/share while they are connected to
the computer. Keep in mind that XP allows stored credentials which may
authenticate a user when they do not realize they have been authenticated by
those stored credentials. --- Steve
 
Thanks for the info.

The Guest account is, in fact, disabled. When I examine the
shares\sessions, I see that the user which shows up is MACHINENAME$,
where MACHINENAME is the client machine. Why would the client appear
as the computer on the server if the client process is running under
the local system account? I rebooted the client to flush any stored
credentials and had the same results.

So, I still not sure why I can connect to the server share with a null
session. Any other thoughts?

Thanks,

Mike Oliver
 
Don't know offhand. Exactly how are you connecting to that share? Can you
access data in the share - open files and such? --- Steve
 
Back
Top