Re: Null session questions

From: neo [mvp outlook] (neo@mvps.org)
Date: 09/18/02

• Next message: Tarek Kamel [MS]: "Re: Logon audits not showing in event viewer"
• Previous message: Shirley: "Screensaver password"
• In reply to: Mike: "Re: Null session questions"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: "neo [mvp outlook]" <neo@mvps.org>
Date: Tue, 17 Sep 2002 17:43:00 -0700

Depending on the tools that you are using, then enumeration is still
possible. Notice that I said that it blocked some GUI tools. The following
link on Microsoft's site delves a little into the subject.

http://support.microsoft.com/default.aspx?scid=KB;EN-US;Q143474

However since it real easy to miss the paragraph that enumeration is still
possible, I tend to point people to
http://online.securityfocus.com/infocus/1352 that really explains things and
why things are still possible in using a Null session connection.

Hope this helps...
/Neo

"Mike" <Mforster@centurytel.net> wrote in message
news:109701c25e7d$41b9be10$2ae2c90a@phx.gbl...
> I have RestrictAnonymous set to 1 in both NT 4.0 domains
> via manual registry edits /w reboots and Windows 2000 via
> group policy. I have been able to enumerate accounts on
> some of the NT 4.0 servers and some W2k servers with the
> exception of domain controllers (which I can't enumerate
> at all). Both enum and nullsess yield the same results.
> I have a case open with Microsoft (going on 3 weeks) with
> out resolution. Anyone know how your supposed to validate
> if the RestrictAnonymous 1 setting works. By the way I've
> run the enum and nullsess from an NT 4.0 and W2K client as
> a domain member and non domain member.
>
>
> >-----Original Message-----
> >Did a quick review this morning and here is what I can
> find.
> >
> >RestrictNullSessAccess - If the key is not present, the
> value is interpreted
> >as 1 (which is the default setting) and configures NT to
> only allow access
> >to Null Session Pipes/Shares. If the registry key is
> present and set to 0,
> >then null sessions have access to resources that have
> been shared using the
> >Everyone group.
> >
> >RestrictAnonymous - Can accept one of 3 values. The
> default 0, will allow
> >enumeration of shares, groups, and user accounts via a
> null session
> >connection. The value 1 which is compatible with legacy
> clients will
> >prohibit the enumeration of shares, groups, and user
> accounts to certain GUI
> >tools. The value 2 should only be used when the domain
> is 100% Windows
> >2000. Using the value 2 and still having legacy Windows
> operating systems
> >will cause issues where the member workstations and
> servers cannot setup a
> >secure netlogon channel.
> >
> >Anytime you change these values, you must reboot the
> server or at the very
> >least, stop/start the server service and all dependent
> services.
> >
> >
> >
> >
> >
> >
> >"Adrian Mink" <adrian.mink@pinnaclewest.com> wrote in
> message
> >news:uieHFBcXCHA.4080@tkmsftngp08...
> >> Hello,
> >>
> >> A couple things I don't quite get I am hoping someone
> can explain. I have
> >> read the MS KB explanations, please don't point me back
> there, I am hoping
> >> for a different explanation!
> >>
> >> First, what is the difference between setting
> RestrictAnonymous and
> >setting
> >> RestrictNullSessAccess? Specifically, what does each
> one restrict?
> >>
> >> What is the difference between an anonymous connection
> and a null session?
> >>
> >> What would the consequenses be of setting
> RestrictNullSessAccess = 1 in a
> >> domain?
> >>
> >> I thought I had a handle on this stuff, but am no
> longer sure I do. When I
> >> run a nessus
> >> scan of some systems on my domain, I get the result
> that anonymous null
> >> session access is allowed.
> >> I then set restrictanonymous = 1, which should stop
> enumeration of
> >accounts
> >> and shares, and
> >> re-run the scan, and get the same message that null
> session access is
> >> allowed and that nessus
> >> can pull a list of SAM accounts and shares. Why is this?
> >>
> >> Thanks for any help!
> >>
> >> Adrian
> >>
> >>
> >>
> >>
> >
> >.
> >

• Next message: Tarek Kamel [MS]: "Re: Logon audits not showing in event viewer"
• Previous message: Shirley: "Screensaver password"
• In reply to: Mike: "Re: Null session questions"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: Null session questions ... I have been able to enumerate accounts on ... some of the NT 4.0 servers and some W2k servers with the ... >to Null Session Pipes/Shares. ... >> RestrictNullSessAccess? ... (microsoft.public.win2000.security) Re: Null Session ... That depends on what you were intending to do with the null session? ... Mostly it is used for Microsoft Windows enumeration of accounts, ... If the Windows system has the restrictanonymous (restrictanonymoussam ... If you are after other enumeration attacks, have a look at SNMP, ... (Pen-Test) Re: Null Sessions - Restrict Anonymous ... seeing event logs with hackers using real user names. ... >> being restricted on these servers. ... > some enumeration tools but others continue to work. ... >> effective setting is "do not allow enumertation of SAM accounts and ... (microsoft.public.win2000.security) RE: Cant read remote system event log ... > servers across a network. ... > that the enumeration comes back with no records. ... Call CoSetProxyBlanket on the resulting enumerator proxy ... (microsoft.public.win32.programmer.wmi) Re: Null Sessions - Restrict Anonymous ... > The issue being experienced is that on the Windows 2000 AD DC user ... Shares information is ... > being restricted on these servers. ... some enumeration tools but others continue to work. ... (microsoft.public.win2000.security)

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint