Restrict access for NULL sessions

6 February 2002 by Snakefoot | Comment » | Trackback Off
By standard it is possible for anonymous users to use NULL sessions to view:
  • Minimum Password length
  • If blank passwords are permitted
  • Maximum password age
  • Password history
  • Userlist
  • Network shares
This can be restricted by changing this DWORD in the registry:

[HKEY_LOCAL_MACHINE \SYSTEM \CurrentControlSet \Control \LSA]
RestrictAnonymous = 2 (Default = 0)

0 = None. Rely on default permissions
1 = Do not allow enumeration of SAM accounts and names (Will stop NULL session exploits)
2 = No access without explicit anonymous permissions (Win2k only)

Note if enabling this restriction it will disable guest account users from seeing Network Shares, as they will fail login with security error code : 3221225572 (Logon Failed : The username doesn't exist)

More info MS KB Q143474
More info MS KB Q246261
More info MS KB Q296405
More info MS KB Q328459
More info MS KB Q837964

It is also possible to access shares using NULL sessions. For security reasons it is only possible for a set of restricted shares (Besides IPC$) specified here:

[HKEY_LOCAL_MACHINE \SYSTEM \CurrentControlSet \Services \LanmanServer \Parameters]
NullSessionPipes = "..."
NullSessionShares = "..."

[HKEY_LOCAL_MACHINE \SYSTEM \CurrentControlSet \Services \LanmanServer \Parameters]
RestrictNullSessAccess = 1 (Secure = 1, Unsecure = 0, Default = No Value; Secure)

More info MS KB Q122702
More info MS KB Q289655
More info MS KB Q815458
More info MS KB Q830070
More info MS KB Q896658

Windows XP/2003 introduced a new setting "Network Access: Do not allow anonymous enumeration of SAM accounts", which disables enumerations of SAM accounts, but still allows enumerations of shares (For Simple File Sharing):

[HKEY_LOCAL_MACHINE \SYSTEM \CurrentControlSet \Control \LSA]
RestrictAnonymousSAM = 1 (Default = 1)

More info MS KB Q328459

Windows XP/2003 introduced a new setting "Network access: Let Everyone permissions apply to anonymous users", which enforces that all rights given to the Everyone-group (authenticated users) are not automatically given to the Anonymous Logon security group. Before Windows XP the Everyone-group included both authenticated users and anonymous users:

[HKEY_LOCAL_MACHINE \SYSTEM \CurrentControlSet \Control \LSA]
EveryoneIncludesAnonymous = 0 (Default = 0)

More info MS KB Q278259

Related Using NULL sessions to access this information

More info MS KB Q823659
More info MS KB Q889030
Tags:
Category:

Updated: 23 September 2007

Comments:

Comment by Kenny - 20 April 2006 @ 8:25 Reply

I’ve tried to set both the restrictAnonymous and restrictAnonymous but yet the problem is still there. Further to this, I also

Create Key Name:
RestrictNullSessAccess Reg_Dword set to �1� (Decimal)

Restrict Null Session Access over Named Pipes and Shares
By default the entries are:

NullSessionPipes NullSessionShares
COMNAP COMCFG
COMNODE DFS$
SQL\QUERY
SPOOLSS
EPMAPPER
LOCATOR
TrkWks

Navigate to the following registry key:
HKLM\System\CurrentControlSet\Services\LanmanServer\Parameters

Value Name: NullSessionPipes
NullSessionShares

Use Regedt32, Edit, Multistring and remove all entries from the 2 values

Do you have any idea? I’m running on WIndows XP

Comment by snakefoot - 20 April 2006 @ 12:21 Reply

Kenny
I’ve tried to set both the restrictAnonymous and restrictAnonymous but yet the problem is still there.

What kind of “problem” are you experiencing ?

Are you using simple filesharing ?

Remember that the group policy “Network access: Do not allow anonymous enumeration of SAM accounts and shares” will configure the RestrictAnonymous registry setting at start up.

Leave a comment


You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <code> <em> <i> <strike> <strong>