Smallvoid.com
  • Home
  • About
  • Articles
  • Links
  • Forum

Restrict access for NULL sessions

February 6, 2002 by Snakefoot | 2 Comment

By standard it is possible for anonymous users to use NULL sessions to view:
  • Minimum Password length
  • If blank passwords are permitted
  • Maximum password age
  • Password history
  • Userlist
  • Network shares
This can be restricted by changing this DWORD in the registry:

[HKEY_LOCAL_MACHINE \SYSTEM \CurrentControlSet \Control \LSA]
RestrictAnonymous = 2 (Default = 0)

0 = None. Rely on default permissions
1 = Do not allow enumeration of SAM accounts and names (Will stop NULL session exploits)
2 = No access without explicit anonymous permissions (Win2k only)

Note if enabling this restriction it will disable guest account users from seeing Network Shares, as they will fail login with security error code : 3221225572 (Logon Failed : The username doesn't exist)

More info MS KB143474
More info MS KB246261
More info MS KB296405
More info MS KB328459
More info MS KB837964

It is also possible to access shares using NULL sessions. For security reasons it is only possible for a set of restricted shares (Besides IPC$) specified here:

[HKEY_LOCAL_MACHINE \SYSTEM \CurrentControlSet \Services \LanmanServer \Parameters]
NullSessionPipes = "..."
NullSessionShares = "..."

[HKEY_LOCAL_MACHINE \SYSTEM \CurrentControlSet \Services \LanmanServer \Parameters]
RestrictNullSessAccess = 1 (Secure = 1, Unsecure = 0, Default = No Value; Secure)

More info MS KB122702
More info MS KB289655
More info MS KB815458
More info MS KB830070
More info MS KB896658

Windows XP/2003 introduced a new setting "Network Access: Do not allow anonymous enumeration of SAM accounts", which disables enumerations of SAM accounts, but still allows enumerations of shares (For Simple File Sharing):

[HKEY_LOCAL_MACHINE \SYSTEM \CurrentControlSet \Control \LSA]
RestrictAnonymousSAM = 1 (Default = 1)

More info MS KB328459

Windows XP/2003 introduced a new setting "Network access: Let Everyone permissions apply to anonymous users", which enforces that all rights given to the Everyone-group (authenticated users) are not automatically given to the Anonymous Logon security group. Before Windows XP the Everyone-group included both authenticated users and anonymous users:

[HKEY_LOCAL_MACHINE \SYSTEM \CurrentControlSet \Control \LSA]
EveryoneIncludesAnonymous = 0 (Default = 0)

More info MS KB278259

Related Using NULL sessions to access this information

More info MS KB823659
More info MS KB889030
Tags:
  • anonymous-access, guest-account, null-session, user-account
Category:
  • User Security,
  • User Security,
  • User Security,
  • User Security

Comments:

  1. Kenny says:
    20 April 2006 at 8:25

    I've tried to set both the restrictAnonymous and restrictAnonymous but yet the problem is still there. Further to this, I also

    Create Key Name:
    RestrictNullSessAccess Reg_Dword set to �1� (Decimal)

    Restrict Null Session Access over Named Pipes and Shares
    By default the entries are:

    NullSessionPipes NullSessionShares
    COMNAP COMCFG
    COMNODE DFS$
    SQL\QUERY
    SPOOLSS
    EPMAPPER
    LOCATOR
    TrkWks

    Navigate to the following registry key:
    HKLM\System\CurrentControlSet\Services\LanmanServer\Parameters

    Value Name: NullSessionPipes
    NullSessionShares

    Use Regedt32, Edit, Multistring and remove all entries from the 2 values

    Do you have any idea? I'm running on WIndows XP

    Reply
  2. snakefoot says:
    20 April 2006 at 12:21

    Kenny
    I've tried to set both the restrictAnonymous and restrictAnonymous but yet the problem is still there.

    What kind of "problem" are you experiencing ?

    Are you using simple filesharing ?

    Remember that the group policy "Network access: Do not allow anonymous enumeration of SAM accounts and shares" will configure the RestrictAnonymous registry setting at start up.

    Reply

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Related Posts

  • Using NULL sessions to view shares and user accounts
  • Restrict guest access to event logs
  • Configure Automatic Logon in Windows NT
  • Moving the userprofile to a different location
  • Securing the local Administrator account

Recent Posts

  • Disable IPv6 imaginary tunnel network interfaces
  • Encrypted backup to OneDrive or DropBox
  • Description of soft and hard page faults
  • Windows 10 Upgrade with black screen
  • Wordpress 4.2 Upgrade

Meta

  • Log in
  • Entries feed
  • Comments feed