RE: Null session in Windows XP

From: Evans, TJ (tjevans@kpmg.com)
Date: 03/28/02

• Previous message: bmurphy@carterbloodcare.org: "RE: Null session in Windows XP"
• Maybe in reply to: Tomasz Polus: "Null session in Windows XP"
• Next in thread: Laura A. Robinson: "Re: Null session in Windows XP"
• Reply: Laura A. Robinson: "Re: Null session in Windows XP"
• Reply: Dave Feustel: "Re: Null session in Windows XP"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

From: "Evans, TJ" <tjevans@kpmg.com>
To: FOCUS-MS@securityfocus.com
Date: Wed, 27 Mar 2002 20:14:51 -0500

Also worth dropping a note about ... :
1 The XP firewall .. this should stop any inbound connection attempt
...
(I haven't actually verified this myself, I use ZAP ... which does block
135/139/445)

2 if your 'environment' does not prohibit it, it also may not be a bad
idea to 'use NLTMv2 only/refuse NT/LM' ... a little more protection in that
many "tools" do not support connecting this way and also helps prevent
sniffing on your wire ...

Thanks!
TJ

-----Original Message-----
From: Eric [mailto:ews@tellurian.net]
Sent: Wednesday, March 27, 2002 2:16 PM
To: Tomasz Polus; FOCUS-MS@securityfocus.com
Subject: Re: Null session in Windows XP

Null sessions can *always* be established to NT4, Windows 2000, and Windows
XP machines. If the machine's server service is enabled, and ports 139 or
445 are available, then you can do a net use with anonymous credentials,
and the system will respond with "Command completed successfully". This
has not changed from NT4 to Win2K to XP.

What has changed, however, is what you are able to do once you establish
the null session. In NT4 and Win2K, by default, you could enumerate
information about users and shares. Setting RestrictAnonymous=1 would help
prevent against this enumaration (though not fully). RestrictAnonymous=2
(Win2K only) would fully prevent this enumeration.

On Windows XP, there are new registry keys:

RestrictAnonymousSam=1 is a default setting. This prevents detailed
enumeration of user accounts. This setting correlates with the
SecurityPolicy setting "Do not allow anonymous enumeration of SAM
accounts" with a default setting 'Enabled" (meaning the default of XP will
prohibit anonymous enumeration (R.A.SAM=1).

RestrictAnonymous=0 is a default setting. This correlates with the
SecurityPolicy Setting "Do not allow anonymous enumeration of SAM accounts
and shares". Set this policy to 'Enabled' (RA=1) to prevent anonymous
enumeration of shares.

RestrictAnonymous=2 (on XP) is no longer a valid setting.

So, by default, on an XP system, you can anonymously connect and enumerate
shares by default, but you cannot enumerate detailed user information.

To disable anonymous connections altogether, block access to tcp139/445
(IPSec port filters or Internet Connection Firewall), or uncheck "File and
Print Sharing for Microsoft Networks" from the network interface in
question (via the properties tab of the network connection).

At 09:04 AM 3/27/2002 +0100, Tomasz Polus wrote:
>Hi All,
>
>I have a problem with restricting null user access to Windows XP.
>I'm aware of all the information from the following articles:
>MSKB Q143474: Restricting Information Available to Anonymous
>Logon Users
>MSKB Q246261: How to Use the RestrictAnonymous Registry Value
>in Windows 2000
>RestrictAnonymous: Enumeration and the Null User
>(http://online.securityfocus.com/infocus/1352)
>
>and of course I set RestrictAnonymous and RestrictNullSessAccess
>registry keys properly (2;1). There is no problem in Windows 2000
>- these settings deny null user access to my machine.
>Unfortunately in Windows XP Professional it doesn't work this way.
>Null session still can be established... Can somebody please
>explain this to me?
>
>--
>Tomasz Polus
*****************************************************************************
The information in this email is confidential and may be legally privileged.
It is intended solely for the addressee. Access to this email by anyone else
is unauthorized.

If you are not the intended recipient, any disclosure, copying, distribution
or any action taken or omitted to be taken in reliance on it, is prohibited
and may be unlawful. When addressed to our clients any opinions or advice
contained in this email are subject to the terms and conditions expressed in
the governing KPMG client engagement letter.
*****************************************************************************

---

• Previous message: bmurphy@carterbloodcare.org: "RE: Null session in Windows XP"
• Maybe in reply to: Tomasz Polus: "Null session in Windows XP"
• Next in thread: Laura A. Robinson: "Re: Null session in Windows XP"
• Reply: Laura A. Robinson: "Re: Null session in Windows XP"
• Reply: Dave Feustel: "Re: Null session in Windows XP"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages RE: Null session in Windows XP ... Null session in Windows XP ... would fully prevent this enumeration. ... >I have a problem with restricting null user access to Windows XP. ... (Focus-Microsoft) Re: Null session in Windows XP ... Null sessions can *always* be established to NT4, Windows 2000, and Windows ... would fully prevent this enumeration. ... >I have a problem with restricting null user access to Windows XP. ... (Focus-Microsoft) RE: Null session in Windows XP ... Have you tried using the Local Security Policy snapin? ... I have a problem with restricting null user access to Windows XP. ... (Focus-Microsoft) Re: Null session in Windows XP ... >I have a problem with restricting null user access to Windows XP. ... >Null session still can be established... ... (Focus-Microsoft) Null session in Windows XP ... I have a problem with restricting null user access to Windows XP. ... MSKB Q246261: How to Use the RestrictAnonymous Registry Value ... (Focus-Microsoft)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Mailing-Lists  > securityfocus  > focus-ms  > 2002-03