Re: Null Sessions - Restrict Anonymous

From: Karl Levinson [x y] mvp (levinson_k@excite.com)
Date: 12/06/02 

From: "Karl Levinson [x y] mvp" <levinson_k@excite.com>
Date: Fri, 6 Dec 2002 12:58:20 -0500

"Fady Haddad" <fadyhaddad@optushome.com.au> wrote in message
news:erNSIMUnCHA.1824@TK2MSFTNGP11...

> The issue being experienced is that on the Windows 2000 AD DC user
> information is still being enumerated from the SAM. Shares information is
> being restricted on these servers. The NT 4 BDC servers are OK, no
> information is leaking.

Are you sure? To the best of my knowledge, there is no way to properly
secure NT from null session enumeration. AFAIK RestrictAnonymous = 1 breaks
some enumeration tools but others continue to work. AFAIK this is also
broken in Windows 2000, unless you set RestrictAnonymous = 2, but you can't
do that in some situations such as on domain controllers. For example, see:

http://www.hammerofgod.com/download/Mullen-RA.ppt

According to the presentation above, enumeration tools such as GetAcct,
Userdump
and SID2user / user2sid can still enumerate login IDs and passwords even
with
RestrictAnonymous = 1, due to a lack of ACL permissions on functions /
procedure
calls such as LookupAccountName. This presentation also claims that
RestrictAnonymous = 2 kills NT 4.0 network connectivity in some unspecified
way.

I would recommend downloading one of these tools to confirm that your NT
domain controllers really are not leaking data, and kindly let me know if
your servers are really secure against these tools, because I would be
surprised and would want to know this. See here for more info and to
download the free GetAcct tool:

http://www.securityfriday.com/Topics/restrictanonymous.html

> The local security Policy on the windows 2000 servers show that the
> effective setting is "do not allow enumertation of SAM accounts and
shares"
> Servers have been rebooted several times, but still no results.

Check the RestrictAnonymous registry entry on all the servers to confirm
that the setting was applied successfully.

Relevant Pages

  • Re: Null Sessions - Restrict Anonymous
    ... seeing event logs with hackers using real user names. ... >> being restricted on these servers. ... > some enumeration tools but others continue to work. ... >> effective setting is "do not allow enumertation of SAM accounts and ...
    (microsoft.public.win2000.security)
  • RE: Cant read remote system event log
    ... > servers across a network. ... > that the enumeration comes back with no records. ... Call CoSetProxyBlanket on the resulting enumerator proxy ...
    (microsoft.public.win32.programmer.wmi)
  • Re: Null session questions
    ... However since it real easy to miss the paragraph that enumeration is still ... why things are still possible in using a Null session connection. ... > some of the NT 4.0 servers and some W2k servers with the ... >>> RestrictNullSessAccess? ...
    (microsoft.public.win2000.security)
  • Re: logon failure: user not allowed to log on to this computer
    ... I amended the policy again and reduced it to 'Do not allow enumeration of SAM accounts and shares' and still after reboot I was left with the same problem. ... I would like to set this policy to 'Do not allow enumeration' especially knowing that I have about 20 more servers having this setup and never have me any problems. ... Keith Harmsworth ...
    (microsoft.public.inetserver.iis)
  • RE: Null session in Windows XP
    ... Null session in Windows XP ... would fully prevent this enumeration. ... >I have a problem with restricting null user access to Windows XP. ...
    (Focus-Microsoft)