Re: NULL IPC$ Sessions - incorrect information

From: Russ (Russ.Cooper@RC.ON.CA)
Date: 02/04/02


Date:         Mon, 4 Feb 2002 15:54:42 -0500
From: Russ <Russ.Cooper@RC.ON.CA>
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

Ok, my mistake, I let through Michael Katz's post without sufficient
review. In it, he provides some incorrect information regarding null
session access and Windows NT 4.0. His information about W2K and XP was
accurate.

Microsoft's Trusted Computing Initiative team was ever vigilant and sent
me a note on this within seconds of it being released to the list.

Michael said;

\SYSTEM
 \CurrentControlSet
  \Services
   \LanmanServer
    \Parameters
     \RestrictNullSessAccess

Set the REG_DWORD value of the above key to 1 (default is 0).

In fact, the purpose of this registry key is to add it and set it to 0
in order to ENABLE null session access. Without the key, its as if its
there and set to 1, and DISABLES null session access to anything but
those pipes listed in NullSessionPipes and those shares listed in
NullSessionShares.

So, it may be possible to restrict some access by clearing those other
keys (NullSessionPipes and NullSessionShares), it will not achieve the
results Michael suggested (it won't affect null session access to IPC$,
for example).

The best approach is to use the RestrictAnonymous registry entry as
documented in MSKB Q143474 (NT) and MSKB Q246261 (W2K) which can
completely stop any enumeration based on null sessions.

Finally, I should also point out that the null session enumeration is at
least 4 years old now, first demonstrated by Aleita Software as "Red
Button". I put through Josh Santomieri message about his tool simply as
a reminder of the issue, and because his source for his tool was
available on his site.

Cheers,
Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor
"My thoughts are facts in my world, opinion to you. YMMV"

oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
Delivery co-sponsored by Qualys - Make Your Network Secure
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
Go Beyond PARTIAL Security: FREE White Paper

Stop hassling with half-baked ENTERPRISE SECURITY.
FREE White Paper shows you how to ensure TOTAL security for your Internet
perimeter with the most current and most complete PROACTIVE Vulnerability
Assessment solution. Get your FREE White Paper now. Click here!
https://www.qualys.com/forms/techwhite_86.html
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo