Disabling of NULL shares on W2K DCs

Archived from groups: microsoft.public.win2000.security (More info?)

Does anyone know how to disable null sessions on domain
controllers?

Our auditors told us to turn off
nullsessionpipes\nullsessionshares on our domain
controllers.

But they didn't tell us what values to set them to.
Would anyone know?

Thanks!
7 answers Last reply
More about disabling null shares
  1. Archived from groups: microsoft.public.win2000.security (More info?)

    Apparently they don't know how to do it. Kind of like going to a doctor and he tells
    you that you are sick but not what to do.

    Here is a KB that discusses the use of those a bit.

    http://support.microsoft.com/default.aspx?kbid=289655

    There is a setting in Domain Controller Security Policy security options for
    additional restrictions for anonymous connection that if you set to no access without
    explicit anonymous permissions will disable the ability to use null shares/named
    pipes HOWEVER this can break things in a domain and cause problems with downlevel
    trusts, network browsing, and even changing passwords before logging on particularly
    if downlevel [NT, W9X] and even XP Pro computers are used. I wonder if they knew that
    before they told you to turn it off. The KB below explains restricting anonymous
    access and the possible ramifications.

    http://support.microsoft.com/?kbid=246261 -- pay attention to "The following tasks
    are restricted when the RestrictAnonymous registry value is set to 2 on a Windows
    2000-based domain controller"

    The Windows 2000 Security Hardening Guide also has more info on W2K security,
    including recommendations for specific networking configurations. --- Steve

    http://www.microsoft.com/technet/Security/prodtech/win2000/win2khg/05sconfg.mspx --
    chapter 5 W2SHG.

    "Ping" <anonymous@discussions.microsoft.com> wrote in message
    news:09bf01c4848f$c4c856b0$a301280a@phx.gbl...
    > Does anyone know how to disable null sessions on domain
    > controllers?
    >
    > Our auditors told us to turn off
    > nullsessionpipes\nullsessionshares on our domain
    > controllers.
    >
    > But they didn't tell us what values to set them to.
    > Would anyone know?
    >
    > Thanks!
  2. Archived from groups: microsoft.public.win2000.security (More info?)

    Thanks Steve,
    there was a paragraph in the Windows Server Hardening
    guide that covered dsiabling nullsessionhares and
    nullsessionpipes that was helpful.

    I don't know about that restricting anonymous access KB
    article tho, that looks scary.


    >-----Original Message-----
    >Apparently they don't know how to do it. Kind of like
    going to a doctor and he tells
    >you that you are sick but not what to do.
    >
    >Here is a KB that discusses the use of those a bit.
    >
    >http://support.microsoft.com/default.aspx?kbid=289655
    >
    >There is a setting in Domain Controller Security Policy
    security options for
    >additional restrictions for anonymous connection that if
    you set to no access without
    >explicit anonymous permissions will disable the ability
    to use null shares/named
    >pipes HOWEVER this can break things in a domain and cause
    problems with downlevel
    >trusts, network browsing, and even changing passwords
    before logging on particularly
    >if downlevel [NT, W9X] and even XP Pro computers are
    used. I wonder if they knew that
    >before they told you to turn it off. The KB below
    explains restricting anonymous
    >access and the possible ramifications.
    >
    >http://support.microsoft.com/?kbid=246261 -- pay
    attention to "The following tasks
    >are restricted when the RestrictAnonymous registry value
    is set to 2 on a Windows
    >2000-based domain controller"
    >
    >The Windows 2000 Security Hardening Guide also has more
    info on W2K security,
    >including recommendations for specific networking
    configurations. --- Steve
    >
    >http://www.microsoft.com/technet/Security/prodtech/win2000
    /win2khg/05sconfg.mspx --
    >chapter 5 W2SHG.
    >
    >"Ping" <anonymous@discussions.microsoft.com> wrote in
    message
    >news:09bf01c4848f$c4c856b0$a301280a@phx.gbl...
    >> Does anyone know how to disable null sessions on domain
    >> controllers?
    >>
    >> Our auditors told us to turn off
    >> nullsessionpipes\nullsessionshares on our domain
    >> controllers.
    >>
    >> But they didn't tell us what values to set them to.
    >> Would anyone know?
    >>
    >> Thanks!
    >
    >
    >.
    >
  3. Archived from groups: microsoft.public.win2000.security (More info?)

    Ok. Glad you found out what you needed. The W2KSHG is a pretty good resource. As far
    as "additional restrictions for anonymous connections" the setting for "do not allow
    enumeration of sam account and shares" [ same as registry setting of 1 ] is usually
    safe to implement and very similar to how Windows 2003 Server is configured to
    restrict anonymous access. --- Steve


    "Ping" <anonymous@discussions.microsoft.com> wrote in message
    news:113b01c48525$25ac0090$a301280a@phx.gbl...
    > Thanks Steve,
    > there was a paragraph in the Windows Server Hardening
    > guide that covered dsiabling nullsessionhares and
    > nullsessionpipes that was helpful.
    >
    > I don't know about that restricting anonymous access KB
    > article tho, that looks scary.
    >
    >
    >>-----Original Message-----
    >>Apparently they don't know how to do it. Kind of like
    > going to a doctor and he tells
    >>you that you are sick but not what to do.
    >>
    >>Here is a KB that discusses the use of those a bit.
    >>
    >>http://support.microsoft.com/default.aspx?kbid=289655
    >>
    >>There is a setting in Domain Controller Security Policy
    > security options for
    >>additional restrictions for anonymous connection that if
    > you set to no access without
    >>explicit anonymous permissions will disable the ability
    > to use null shares/named
    >>pipes HOWEVER this can break things in a domain and cause
    > problems with downlevel
    >>trusts, network browsing, and even changing passwords
    > before logging on particularly
    >>if downlevel [NT, W9X] and even XP Pro computers are
    > used. I wonder if they knew that
    >>before they told you to turn it off. The KB below
    > explains restricting anonymous
    >>access and the possible ramifications.
    >>
    >>http://support.microsoft.com/?kbid=246261 -- pay
    > attention to "The following tasks
    >>are restricted when the RestrictAnonymous registry value
    > is set to 2 on a Windows
    >>2000-based domain controller"
    >>
    >>The Windows 2000 Security Hardening Guide also has more
    > info on W2K security,
    >>including recommendations for specific networking
    > configurations. --- Steve
    >>
    >>http://www.microsoft.com/technet/Security/prodtech/win2000
    > /win2khg/05sconfg.mspx --
    >>chapter 5 W2SHG.
    >>
    >>"Ping" <anonymous@discussions.microsoft.com> wrote in
    > message
    >>news:09bf01c4848f$c4c856b0$a301280a@phx.gbl...
    >>> Does anyone know how to disable null sessions on domain
    >>> controllers?
    >>>
    >>> Our auditors told us to turn off
    >>> nullsessionpipes\nullsessionshares on our domain
    >>> controllers.
    >>>
    >>> But they didn't tell us what values to set them to.
    >>> Would anyone know?
    >>>
    >>> Thanks!
    >>
    >>
    >>.
    >>
  4. Archived from groups: microsoft.public.win2000.security (More info?)

    I agree that Restrictanonymous = 1 is usually safe. However, it doesn't
    disable null sessions, a lot of useful information can still be enumerated.
    You can read an article on this and download the getacct123 tool to see
    exactly what data is visible by going to www.securityfriday.com

    Using restrictanonymous = 2 breaks some things, most notably if you have any
    Win9x, ME or NT clients or servers requiring authentication.

    Note that Windows 2000 is the ONLY OS that uses Restrictanonymous = 2.
    Windows 2003 and XP only give you options of 0 and 1, and use a second
    registry value called RestrictAnonymousSAM that can also either be 0 or 1.


    "Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net> wrote in message
    news:wdNUc.40547$TI1.4170@attbi_s52...
    > Ok. Glad you found out what you needed. The W2KSHG is a pretty good
    resource. As far
    > as "additional restrictions for anonymous connections" the setting for "do
    not allow
    > enumeration of sam account and shares" [ same as registry setting of 1 ]
    is usually
    > safe to implement and very similar to how Windows 2003 Server is
    configured to
    > restrict anonymous access. --- Steve
    >
    >
    > "Ping" <anonymous@discussions.microsoft.com> wrote in message
    > news:113b01c48525$25ac0090$a301280a@phx.gbl...
    > > Thanks Steve,
    > > there was a paragraph in the Windows Server Hardening
    > > guide that covered dsiabling nullsessionhares and
    > > nullsessionpipes that was helpful.
    > >
    > > I don't know about that restricting anonymous access KB
    > > article tho, that looks scary.
    > >
    > >
    > >>-----Original Message-----
    > >>Apparently they don't know how to do it. Kind of like
    > > going to a doctor and he tells
    > >>you that you are sick but not what to do.
    > >>
    > >>Here is a KB that discusses the use of those a bit.
    > >>
    > >>http://support.microsoft.com/default.aspx?kbid=289655
    > >>
    > >>There is a setting in Domain Controller Security Policy
    > > security options for
    > >>additional restrictions for anonymous connection that if
    > > you set to no access without
    > >>explicit anonymous permissions will disable the ability
    > > to use null shares/named
    > >>pipes HOWEVER this can break things in a domain and cause
    > > problems with downlevel
    > >>trusts, network browsing, and even changing passwords
    > > before logging on particularly
    > >>if downlevel [NT, W9X] and even XP Pro computers are
    > > used. I wonder if they knew that
    > >>before they told you to turn it off. The KB below
    > > explains restricting anonymous
    > >>access and the possible ramifications.
    > >>
    > >>http://support.microsoft.com/?kbid=246261 -- pay
    > > attention to "The following tasks
    > >>are restricted when the RestrictAnonymous registry value
    > > is set to 2 on a Windows
    > >>2000-based domain controller"
    > >>
    > >>The Windows 2000 Security Hardening Guide also has more
    > > info on W2K security,
    > >>including recommendations for specific networking
    > > configurations. --- Steve
    > >>
    > >>http://www.microsoft.com/technet/Security/prodtech/win2000
    > > /win2khg/05sconfg.mspx --
    > >>chapter 5 W2SHG.
    > >>
    > >>"Ping" <anonymous@discussions.microsoft.com> wrote in
    > > message
    > >>news:09bf01c4848f$c4c856b0$a301280a@phx.gbl...
    > >>> Does anyone know how to disable null sessions on domain
    > >>> controllers?
    > >>>
    > >>> Our auditors told us to turn off
    > >>> nullsessionpipes\nullsessionshares on our domain
    > >>> controllers.
    > >>>
    > >>> But they didn't tell us what values to set them to.
    > >>> Would anyone know?
    > >>>
    > >>> Thanks!
    > >>
    > >>
    > >>.
    > >>
    >
    >
  5. Archived from groups: microsoft.public.win2000.security (More info?)

    Hi Karl.

    I wonder why setting of " 2 " was abandoned? My guess is that maybe it resulted in a
    lot of support calls from users who implemented it often from security templates
    [such as the NSA ones] without investigating the ramifications first or because W2003
    offers about six related settings for more granular control of anonymous access
    offering almost the same. Interesting enough at least one version of MBSA would
    instruct users to implement the " 2 "setting without mentioning any side affects. I
    have been playing around with XP SP2 and it actually warns you if you are going to
    make a change to a security setting that may cause a conflict with other operating
    systems and refers you to a related KB article - very nice! I had most of the
    GPO/security policy settings memorized for W2K but now with XP SP2 it is a whole new
    game with a mind boggling selection of policy settings. --- Steve


    "Karl Levinson [x y] mvp" <levinson_k@despammed.com> wrote in message
    news:eZVOoSahEHA.3548@TK2MSFTNGP09.phx.gbl...
    >I agree that Restrictanonymous = 1 is usually safe. However, it doesn't
    > disable null sessions, a lot of useful information can still be enumerated.
    > You can read an article on this and download the getacct123 tool to see
    > exactly what data is visible by going to www.securityfriday.com
    >
    > Using restrictanonymous = 2 breaks some things, most notably if you have any
    > Win9x, ME or NT clients or servers requiring authentication.
    >
    > Note that Windows 2000 is the ONLY OS that uses Restrictanonymous = 2.
    > Windows 2003 and XP only give you options of 0 and 1, and use a second
    > registry value called RestrictAnonymousSAM that can also either be 0 or 1.
    >
    >
    >
    > "Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net> wrote in message
    > news:wdNUc.40547$TI1.4170@attbi_s52...
    >> Ok. Glad you found out what you needed. The W2KSHG is a pretty good
    > resource. As far
    >> as "additional restrictions for anonymous connections" the setting for "do
    > not allow
    >> enumeration of sam account and shares" [ same as registry setting of 1 ]
    > is usually
    >> safe to implement and very similar to how Windows 2003 Server is
    > configured to
    >> restrict anonymous access. --- Steve
    >>
    >>
    >> "Ping" <anonymous@discussions.microsoft.com> wrote in message
    >> news:113b01c48525$25ac0090$a301280a@phx.gbl...
    >> > Thanks Steve,
    >> > there was a paragraph in the Windows Server Hardening
    >> > guide that covered dsiabling nullsessionhares and
    >> > nullsessionpipes that was helpful.
    >> >
    >> > I don't know about that restricting anonymous access KB
    >> > article tho, that looks scary.
    >> >
    >> >
    >> >>-----Original Message-----
    >> >>Apparently they don't know how to do it. Kind of like
    >> > going to a doctor and he tells
    >> >>you that you are sick but not what to do.
    >> >>
    >> >>Here is a KB that discusses the use of those a bit.
    >> >>
    >> >>http://support.microsoft.com/default.aspx?kbid=289655
    >> >>
    >> >>There is a setting in Domain Controller Security Policy
    >> > security options for
    >> >>additional restrictions for anonymous connection that if
    >> > you set to no access without
    >> >>explicit anonymous permissions will disable the ability
    >> > to use null shares/named
    >> >>pipes HOWEVER this can break things in a domain and cause
    >> > problems with downlevel
    >> >>trusts, network browsing, and even changing passwords
    >> > before logging on particularly
    >> >>if downlevel [NT, W9X] and even XP Pro computers are
    >> > used. I wonder if they knew that
    >> >>before they told you to turn it off. The KB below
    >> > explains restricting anonymous
    >> >>access and the possible ramifications.
    >> >>
    >> >>http://support.microsoft.com/?kbid=246261 -- pay
    >> > attention to "The following tasks
    >> >>are restricted when the RestrictAnonymous registry value
    >> > is set to 2 on a Windows
    >> >>2000-based domain controller"
    >> >>
    >> >>The Windows 2000 Security Hardening Guide also has more
    >> > info on W2K security,
    >> >>including recommendations for specific networking
    >> > configurations. --- Steve
    >> >>
    >> >>http://www.microsoft.com/technet/Security/prodtech/win2000
    >> > /win2khg/05sconfg.mspx --
    >> >>chapter 5 W2SHG.
    >> >>
    >> >>"Ping" <anonymous@discussions.microsoft.com> wrote in
    >> > message
    >> >>news:09bf01c4848f$c4c856b0$a301280a@phx.gbl...
    >> >>> Does anyone know how to disable null sessions on domain
    >> >>> controllers?
    >> >>>
    >> >>> Our auditors told us to turn off
    >> >>> nullsessionpipes\nullsessionshares on our domain
    >> >>> controllers.
    >> >>>
    >> >>> But they didn't tell us what values to set them to.
    >> >>> Would anyone know?
    >> >>>
    >> >>> Thanks!
    >> >>
    >> >>
    >> >>.
    >> >>
    >>
    >>
    >
    >
  6. Archived from groups: microsoft.public.win2000.security (More info?)

    I think your comment about "granular control" is the key. While
    changing these settings every time a new OS is released is annoying, I
    would think the advantage to having two different binary values
    instead of one multiple choice value is that you can configure each
    one independently if you wish.

    I'm not sure if that's relevant or meaningful in this current example,
    e.g. whether configuring RestrictAnonymousSAM = 1 but
    RestrictAnonymous = 0 would make a difference or not.


    "Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net> wrote in message news:<3uWUc.278211$a24.9311@attbi_s03>...
    > Hi Karl.
    >
    > I wonder why setting of " 2 " was abandoned? My guess is that maybe it resulted in a
    > lot of support calls from users who implemented it often from security templates
    > [such as the NSA ones] without investigating the ramifications first or because W2003
    > offers about six related settings for more granular control of anonymous access
    > offering almost the same.
  7. Archived from groups: microsoft.public.win2000.security (More info?)

    Interestingly I ran a little test. In addition to the tool you mention, Superscan4
    from Foundstone can also enumerate using a null session. For W2K a setting of " 2 "
    blocks everything, however the setting of " 1 " still allows enumeration of user
    accounts, groups, shares, and password/account lockout policy or in other words it
    does not prevent anonymous enumeration of sam account and shares as the settings
    suggests and as you indicate. Not only does it allow enumeration of users and groups
    but gives detailed account properties for the account and groups show group
    membership. I could not really find any reason using Supercan4 to use setting " 1 "
    over setting " 0 " for W2K while a setting of " 2 " can cause problems in mixed
    network configurations. For W2K it seems to be an all or nothing trap.

    Windows 2003 however shows that in default security configuration of " do not allow
    anonymous enumeration of sam account " it actually works as advertised and I was not
    able to obtain and user, group, or password/account policy information - only
    enumeration of shares. When I also enabled " do not allow anonymous enumeration of
    sam account and sharers" for Windows 2003 I saw no difference and was still able to
    enumerate shares though to me that is a lot less important information to an attacker
    than detailed user, group, password/account information. --- Steve


    "Karl Levinson [x y] mvp" <levinson_k@despammed.com> wrote in message
    news:e51f18d1.0408190623.742429e@posting.google.com...
    >I think your comment about "granular control" is the key. While
    > changing these settings every time a new OS is released is annoying, I
    > would think the advantage to having two different binary values
    > instead of one multiple choice value is that you can configure each
    > one independently if you wish.
    >
    > I'm not sure if that's relevant or meaningful in this current example,
    > e.g. whether configuring RestrictAnonymousSAM = 1 but
    > RestrictAnonymous = 0 would make a difference or not.
    >
    >
    > "Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net> wrote in message
    > news:<3uWUc.278211$a24.9311@attbi_s03>...
    >> Hi Karl.
    >>
    >> I wonder why setting of " 2 " was abandoned? My guess is that maybe it resulted
    >> in a
    >> lot of support calls from users who implemented it often from security templates
    >> [such as the NSA ones] without investigating the ramifications first or because
    >> W2003
    >> offers about six related settings for more granular control of anonymous access
    >> offering almost the same.
Ask a new question

Read More

Security Domain Microsoft Windows