Re: Null Sessions - Restrict Anonymous

From: al (news@thispartisfake-13c.com)
Date: 12/06/02 

From: "al" <news@thispartisfake-13c.com>
Date: Fri, 6 Dec 2002 13:04:14 -0800

I hope you are wrong Karl, I set my RestrictAnonymous = 1 and I have stopped
seeing event logs with hackers using real user names. Maybe I need the veil
lifted so I will be watching this thread.

al.NET

"Karl Levinson [x y] mvp" <levinson_k@excite.com> wrote in message
news:uPL9VFVnCHA.1024@TK2MSFTNGP10...
>
> "Fady Haddad" <fadyhaddad@optushome.com.au> wrote in message
> news:erNSIMUnCHA.1824@TK2MSFTNGP11...
>
> > The issue being experienced is that on the Windows 2000 AD DC user
> > information is still being enumerated from the SAM. Shares information
is
> > being restricted on these servers. The NT 4 BDC servers are OK, no
> > information is leaking.
>
> Are you sure? To the best of my knowledge, there is no way to properly
> secure NT from null session enumeration. AFAIK RestrictAnonymous = 1
breaks
> some enumeration tools but others continue to work. AFAIK this is also
> broken in Windows 2000, unless you set RestrictAnonymous = 2, but you
can't
> do that in some situations such as on domain controllers. For example,
see:
>
> http://www.hammerofgod.com/download/Mullen-RA.ppt
>
> According to the presentation above, enumeration tools such as GetAcct,
> Userdump
> and SID2user / user2sid can still enumerate login IDs and passwords even
> with
> RestrictAnonymous = 1, due to a lack of ACL permissions on functions /
> procedure
> calls such as LookupAccountName. This presentation also claims that
> RestrictAnonymous = 2 kills NT 4.0 network connectivity in some
unspecified
> way.
>
> I would recommend downloading one of these tools to confirm that your NT
> domain controllers really are not leaking data, and kindly let me know if
> your servers are really secure against these tools, because I would be
> surprised and would want to know this. See here for more info and to
> download the free GetAcct tool:
>
> http://www.securityfriday.com/Topics/restrictanonymous.html
>
> > The local security Policy on the windows 2000 servers show that the
> > effective setting is "do not allow enumertation of SAM accounts and
> shares"
> > Servers have been rebooted several times, but still no results.
>
> Check the RestrictAnonymous registry entry on all the servers to confirm
> that the setting was applied successfully.
>
>

Relevant Pages

  • RE: Cant read remote system event log
    ... > servers across a network. ... > that the enumeration comes back with no records. ... Call CoSetProxyBlanket on the resulting enumerator proxy ...
    (microsoft.public.win32.programmer.wmi)
  • Re: Null Sessions - Restrict Anonymous
    ... > The issue being experienced is that on the Windows 2000 AD DC user ... Shares information is ... > being restricted on these servers. ... some enumeration tools but others continue to work. ...
    (microsoft.public.win2000.security)
  • Re: Null session questions
    ... However since it real easy to miss the paragraph that enumeration is still ... why things are still possible in using a Null session connection. ... > some of the NT 4.0 servers and some W2k servers with the ... >>> RestrictNullSessAccess? ...
    (microsoft.public.win2000.security)
  • Re: logon failure: user not allowed to log on to this computer
    ... I amended the policy again and reduced it to 'Do not allow enumeration of SAM accounts and shares' and still after reboot I was left with the same problem. ... I would like to set this policy to 'Do not allow enumeration' especially knowing that I have about 20 more servers having this setup and never have me any problems. ... Keith Harmsworth ...
    (microsoft.public.inetserver.iis)
  • Connect with null passphrases (fwd)
    ... I changed to *NP* the password field of /etc/shadow for the fictitious users on the servers the cron jobs connect to, ... those servers to which the cron job tries to connect to as a real user, who has a real password, does not allow ssh connections with null passphrases. ...
    (SSH)