SMB null session

[John Wilks]

My company network gets audited by an outside security
firm every month and what they do it to try to find an
exploit in my network either from the firewalls to the
servers and clients. I get this report saying that a
couple of my servers allow anonymous null SMB sessions.
They told me that and I knew it also that I can lock it
down by not allowing anonymous sessios by changing the
setting "Additional restrictions for anonymous
connections" in the domain security policy to "No access
without explicit anonymous permissions".

It just one thing I already had this as the setting. I
checked the registry and it has the right setting also. I
checked the servers, made the local security policy the
same setting just to be sure and it was already set that
way. When I got the second report it had the same SMB
null session warning for the same servers. Any
suggestions on how I can fix this would be appreciated.

 

[Steven Umbach [MVP]]

Hi John. Always check the "effective" setting in the Local Security
Policy" of a computer to make sure it is not being overridden by a
domain/domain controller/OU policy. If things don't look as they should, you
could also run the Security Configuration and Analysis tool on a server to
see what it finds. The "no access" setting is as resrtictive as you can go
and can cause problems, particularly if you have non W2K computers on the
network. The next step is to block the ports with a firewall. You could try
testing the servers your self by trying to create a null session by using
the net command such as [ net use \\servername\ipc$ "" /u:"" ]. You will get
access is denied message if null sessions are blocked. You could also use a
tool like Dumpsec from Somar. -- Steve

http://www.somarsoft.com/ -- Dumpsec
http://support.microsoft.com/?kbid=246261 -- Info about null session.
http://support.microsoft.com/default.aspx?scid=kb;en-us;289655 -- Info
about null sessions.