Re: Null session questions
From: neo [mvp outlook] (neo@mvps.org)
Date: 09/17/02
- Next message: David Cross [MS]: "Re: Winlogon"
- Previous message: Dominic: "Xcacls"
- In reply to: Adrian Mink: "Null session questions"
- Next in thread: Mike: "Re: Null session questions"
- Reply: Mike: "Re: Null session questions"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "neo [mvp outlook]" <neo@mvps.org> Date: Tue, 17 Sep 2002 05:56:44 -0700
Did a quick review this morning and here is what I can find.
RestrictNullSessAccess - If the key is not present, the value is interpreted
as 1 (which is the default setting) and configures NT to only allow access
to Null Session Pipes/Shares. If the registry key is present and set to 0,
then null sessions have access to resources that have been shared using the
Everyone group.
RestrictAnonymous - Can accept one of 3 values. The default 0, will allow
enumeration of shares, groups, and user accounts via a null session
connection. The value 1 which is compatible with legacy clients will
prohibit the enumeration of shares, groups, and user accounts to certain GUI
tools. The value 2 should only be used when the domain is 100% Windows
2000. Using the value 2 and still having legacy Windows operating systems
will cause issues where the member workstations and servers cannot setup a
secure netlogon channel.
Anytime you change these values, you must reboot the server or at the very
least, stop/start the server service and all dependent services.
"Adrian Mink" <adrian.mink@pinnaclewest.com> wrote in message
news:uieHFBcXCHA.4080@tkmsftngp08...
> Hello,
>
> A couple things I don't quite get I am hoping someone can explain. I have
> read the MS KB explanations, please don't point me back there, I am hoping
> for a different explanation!
>
> First, what is the difference between setting RestrictAnonymous and
setting
> RestrictNullSessAccess? Specifically, what does each one restrict?
>
> What is the difference between an anonymous connection and a null session?
>
> What would the consequenses be of setting RestrictNullSessAccess = 1 in a
> domain?
>
> I thought I had a handle on this stuff, but am no longer sure I do. When I
> run a nessus
> scan of some systems on my domain, I get the result that anonymous null
> session access is allowed.
> I then set restrictanonymous = 1, which should stop enumeration of
accounts
> and shares, and
> re-run the scan, and get the same message that null session access is
> allowed and that nessus
> can pull a list of SAM accounts and shares. Why is this?
>
> Thanks for any help!
>
> Adrian
>
>
>
>
- Next message: David Cross [MS]: "Re: Winlogon"
- Previous message: Dominic: "Xcacls"
- In reply to: Adrian Mink: "Null session questions"
- Next in thread: Mike: "Re: Null session questions"
- Reply: Mike: "Re: Null session questions"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
