RE: Null session in Windows XP

From: bmurphy@carterbloodcare.org
Date: 03/27/02


From: bmurphy@carterbloodcare.org
To: FOCUS-MS@SECURITYFOCUS.COM
Date: Wed, 27 Mar 2002 14:34:49 -0600

Can't you just set all NTFS Permissions to "Authenticated Users" Only?
(Versus default of Everyone)

-----Original Message-----
From: Eric [mailto:ews@tellurian.net]
Sent: Wednesday, March 27, 2002 1:16 PM
To: Tomasz Polus; FOCUS-MS@SECURITYFOCUS.COM
Subject: Re: Null session in Windows XP

Null sessions can *always* be established to NT4, Windows 2000, and Windows
XP machines. If the machine's server service is enabled, and ports 139 or
445 are available, then you can do a net use with anonymous credentials,
and the system will respond with "Command completed successfully". This
has not changed from NT4 to Win2K to XP.

What has changed, however, is what you are able to do once you establish
the null session. In NT4 and Win2K, by default, you could enumerate
information about users and shares. Setting RestrictAnonymous=1 would help
prevent against this enumaration (though not fully). RestrictAnonymous=2
(Win2K only) would fully prevent this enumeration.

On Windows XP, there are new registry keys:

RestrictAnonymousSam=1 is a default setting. This prevents detailed
enumeration of user accounts. This setting correlates with the
SecurityPolicy setting "Do not allow anonymous enumeration of SAM
accounts" with a default setting 'Enabled" (meaning the default of XP will
prohibit anonymous enumeration (R.A.SAM=1).

RestrictAnonymous=0 is a default setting. This correlates with the
SecurityPolicy Setting "Do not allow anonymous enumeration of SAM accounts
and shares". Set this policy to 'Enabled' (RA=1) to prevent anonymous
enumeration of shares.

RestrictAnonymous=2 (on XP) is no longer a valid setting.

So, by default, on an XP system, you can anonymously connect and enumerate
shares by default, but you cannot enumerate detailed user information.

To disable anonymous connections altogether, block access to tcp139/445
(IPSec port filters or Internet Connection Firewall), or uncheck "File and
Print Sharing for Microsoft Networks" from the network interface in
question (via the properties tab of the network connection).

At 09:04 AM 3/27/2002 +0100, Tomasz Polus wrote:
>Hi All,
>
>I have a problem with restricting null user access to Windows XP.
>I'm aware of all the information from the following articles:
>MSKB Q143474: Restricting Information Available to Anonymous
>Logon Users
>MSKB Q246261: How to Use the RestrictAnonymous Registry Value
>in Windows 2000
>RestrictAnonymous: Enumeration and the Null User
>(http://online.securityfocus.com/infocus/1352)
>
>and of course I set RestrictAnonymous and RestrictNullSessAccess
>registry keys properly (2;1). There is no problem in Windows 2000
>- these settings deny null user access to my machine.
>Unfortunately in Windows XP Professional it doesn't work this way.
>Null session still can be established... Can somebody please
>explain this to me?
>
>--
>Tomasz Polus



Relevant Pages

  • Re: Null Session
    ... That depends on what you were intending to do with the null session? ... Mostly it is used for Microsoft Windows enumeration of accounts, ... If the Windows system has the restrictanonymous (restrictanonymoussam ... If you are after other enumeration attacks, have a look at SNMP, ...
    (Pen-Test)
  • Re: Null session in Windows XP
    ... Null sessions can *always* be established to NT4, Windows 2000, and Windows ... would fully prevent this enumeration. ... >I have a problem with restricting null user access to Windows XP. ...
    (Focus-Microsoft)
  • RE: Null session in Windows XP
    ... Null session in Windows XP ... would fully prevent this enumeration. ... >I have a problem with restricting null user access to Windows XP. ...
    (Focus-Microsoft)
  • Re: Null session in Windows XP
    ... >I have a problem with restricting null user access to Windows XP. ... >Null session still can be established... ...
    (Focus-Microsoft)
  • RE: Null session in Windows XP
    ... Have you tried using the Local Security Policy snapin? ... I have a problem with restricting null user access to Windows XP. ...
    (Focus-Microsoft)