Sign in with
Sign up | Sign in
Your question

Disabling of NULL shares on W2K DCs

Last response: in Windows 2000/NT
Share
August 17, 2004 4:24:08 PM

Archived from groups: microsoft.public.win2000.security (More info?)

Does anyone know how to disable null sessions on domain
controllers?

Our auditors told us to turn off
nullsessionpipes\nullsessionshares on our domain
controllers.

But they didn't tell us what values to set them to.
Would anyone know?

Thanks!
Anonymous
a b 8 Security
August 18, 2004 12:30:37 AM

Archived from groups: microsoft.public.win2000.security (More info?)

Apparently they don't know how to do it. Kind of like going to a doctor and he tells
you that you are sick but not what to do.

Here is a KB that discusses the use of those a bit.

http://support.microsoft.com/default.aspx?kbid=289655

There is a setting in Domain Controller Security Policy security options for
additional restrictions for anonymous connection that if you set to no access without
explicit anonymous permissions will disable the ability to use null shares/named
pipes HOWEVER this can break things in a domain and cause problems with downlevel
trusts, network browsing, and even changing passwords before logging on particularly
if downlevel [NT, W9X] and even XP Pro computers are used. I wonder if they knew that
before they told you to turn it off. The KB below explains restricting anonymous
access and the possible ramifications.

http://support.microsoft.com/?kbid=246261 -- pay attention to "The following tasks
are restricted when the RestrictAnonymous registry value is set to 2 on a Windows
2000-based domain controller"

The Windows 2000 Security Hardening Guide also has more info on W2K security,
including recommendations for specific networking configurations. --- Steve

http://www.microsoft.com/technet/Security/prodtech/win2... --
chapter 5 W2SHG.

"Ping" <anonymous@discussions.microsoft.com> wrote in message
news:09bf01c4848f$c4c856b0$a301280a@phx.gbl...
> Does anyone know how to disable null sessions on domain
> controllers?
>
> Our auditors told us to turn off
> nullsessionpipes\nullsessionshares on our domain
> controllers.
>
> But they didn't tell us what values to set them to.
> Would anyone know?
>
> Thanks!
August 18, 2004 10:13:26 AM

Archived from groups: microsoft.public.win2000.security (More info?)

Thanks Steve,
there was a paragraph in the Windows Server Hardening
guide that covered dsiabling nullsessionhares and
nullsessionpipes that was helpful.

I don't know about that restricting anonymous access KB
article tho, that looks scary.


>-----Original Message-----
>Apparently they don't know how to do it. Kind of like
going to a doctor and he tells
>you that you are sick but not what to do.
>
>Here is a KB that discusses the use of those a bit.
>
>http://support.microsoft.com/default.aspx?kbid=289655
>
>There is a setting in Domain Controller Security Policy
security options for
>additional restrictions for anonymous connection that if
you set to no access without
>explicit anonymous permissions will disable the ability
to use null shares/named
>pipes HOWEVER this can break things in a domain and cause
problems with downlevel
>trusts, network browsing, and even changing passwords
before logging on particularly
>if downlevel [NT, W9X] and even XP Pro computers are
used. I wonder if they knew that
>before they told you to turn it off. The KB below
explains restricting anonymous
>access and the possible ramifications.
>
>http://support.microsoft.com/?kbid=246261 -- pay
attention to "The following tasks
>are restricted when the RestrictAnonymous registry value
is set to 2 on a Windows
>2000-based domain controller"
>
>The Windows 2000 Security Hardening Guide also has more
info on W2K security,
>including recommendations for specific networking
configurations. --- Steve
>
>http://www.microsoft.com/technet/Security/prodtech/win2...
/win2khg/05sconfg.mspx --
>chapter 5 W2SHG.
>
>"Ping" <anonymous@discussions.microsoft.com> wrote in
message
>news:09bf01c4848f$c4c856b0$a301280a@phx.gbl...
>> Does anyone know how to disable null sessions on domain
>> controllers?
>>
>> Our auditors told us to turn off
>> nullsessionpipes\nullsessionshares on our domain
>> controllers.
>>
>> But they didn't tell us what values to set them to.
>> Would anyone know?
>>
>> Thanks!
>
>
>.
>
Related resources
Anonymous
a b 8 Security
August 18, 2004 10:28:44 PM

Archived from groups: microsoft.public.win2000.security (More info?)

Ok. Glad you found out what you needed. The W2KSHG is a pretty good resource. As far
as "additional restrictions for anonymous connections" the setting for "do not allow
enumeration of sam account and shares" [ same as registry setting of 1 ] is usually
safe to implement and very similar to how Windows 2003 Server is configured to
restrict anonymous access. --- Steve


"Ping" <anonymous@discussions.microsoft.com> wrote in message
news:113b01c48525$25ac0090$a301280a@phx.gbl...
> Thanks Steve,
> there was a paragraph in the Windows Server Hardening
> guide that covered dsiabling nullsessionhares and
> nullsessionpipes that was helpful.
>
> I don't know about that restricting anonymous access KB
> article tho, that looks scary.
>
>
>>-----Original Message-----
>>Apparently they don't know how to do it. Kind of like
> going to a doctor and he tells
>>you that you are sick but not what to do.
>>
>>Here is a KB that discusses the use of those a bit.
>>
>>http://support.microsoft.com/default.aspx?kbid=289655
>>
>>There is a setting in Domain Controller Security Policy
> security options for
>>additional restrictions for anonymous connection that if
> you set to no access without
>>explicit anonymous permissions will disable the ability
> to use null shares/named
>>pipes HOWEVER this can break things in a domain and cause
> problems with downlevel
>>trusts, network browsing, and even changing passwords
> before logging on particularly
>>if downlevel [NT, W9X] and even XP Pro computers are
> used. I wonder if they knew that
>>before they told you to turn it off. The KB below
> explains restricting anonymous
>>access and the possible ramifications.
>>
>>http://support.microsoft.com/?kbid=246261 -- pay
> attention to "The following tasks
>>are restricted when the RestrictAnonymous registry value
> is set to 2 on a Windows
>>2000-based domain controller"
>>
>>The Windows 2000 Security Hardening Guide also has more
> info on W2K security,
>>including recommendations for specific networking
> configurations. --- Steve
>>
>>http://www.microsoft.com/technet/Security/prodtech/win2...
> /win2khg/05sconfg.mspx --
>>chapter 5 W2SHG.
>>
>>"Ping" <anonymous@discussions.microsoft.com> wrote in
> message
>>news:09bf01c4848f$c4c856b0$a301280a@phx.gbl...
>>> Does anyone know how to disable null sessions on domain
>>> controllers?
>>>
>>> Our auditors told us to turn off
>>> nullsessionpipes\nullsessionshares on our domain
>>> controllers.
>>>
>>> But they didn't tell us what values to set them to.
>>> Would anyone know?
>>>
>>> Thanks!
>>
>>
>>.
>>
Anonymous
a b 8 Security
August 19, 2004 4:32:36 AM

Archived from groups: microsoft.public.win2000.security (More info?)

I agree that Restrictanonymous = 1 is usually safe. However, it doesn't
disable null sessions, a lot of useful information can still be enumerated.
You can read an article on this and download the getacct123 tool to see
exactly what data is visible by going to www.securityfriday.com

Using restrictanonymous = 2 breaks some things, most notably if you have any
Win9x, ME or NT clients or servers requiring authentication.

Note that Windows 2000 is the ONLY OS that uses Restrictanonymous = 2.
Windows 2003 and XP only give you options of 0 and 1, and use a second
registry value called RestrictAnonymousSAM that can also either be 0 or 1.



"Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net> wrote in message
news:wdNUc.40547$TI1.4170@attbi_s52...
> Ok. Glad you found out what you needed. The W2KSHG is a pretty good
resource. As far
> as "additional restrictions for anonymous connections" the setting for "do
not allow
> enumeration of sam account and shares" [ same as registry setting of 1 ]
is usually
> safe to implement and very similar to how Windows 2003 Server is
configured to
> restrict anonymous access. --- Steve
>
>
> "Ping" <anonymous@discussions.microsoft.com> wrote in message
> news:113b01c48525$25ac0090$a301280a@phx.gbl...
> > Thanks Steve,
> > there was a paragraph in the Windows Server Hardening
> > guide that covered dsiabling nullsessionhares and
> > nullsessionpipes that was helpful.
> >
> > I don't know about that restricting anonymous access KB
> > article tho, that looks scary.
> >
> >
> >>-----Original Message-----
> >>Apparently they don't know how to do it. Kind of like
> > going to a doctor and he tells
> >>you that you are sick but not what to do.
> >>
> >>Here is a KB that discusses the use of those a bit.
> >>
> >>http://support.microsoft.com/default.aspx?kbid=289655
> >>
> >>There is a setting in Domain Controller Security Policy
> > security options for
> >>additional restrictions for anonymous connection that if
> > you set to no access without
> >>explicit anonymous permissions will disable the ability
> > to use null shares/named
> >>pipes HOWEVER this can break things in a domain and cause
> > problems with downlevel
> >>trusts, network browsing, and even changing passwords
> > before logging on particularly
> >>if downlevel [NT, W9X] and even XP Pro computers are
> > used. I wonder if they knew that
> >>before they told you to turn it off. The KB below
> > explains restricting anonymous
> >>access and the possible ramifications.
> >>
> >>http://support.microsoft.com/?kbid=246261 -- pay
> > attention to "The following tasks
> >>are restricted when the RestrictAnonymous registry value
> > is set to 2 on a Windows
> >>2000-based domain controller"
> >>
> >>The Windows 2000 Security Hardening Guide also has more
> > info on W2K security,
> >>including recommendations for specific networking
> > configurations. --- Steve
> >>
> >>http://www.microsoft.com/technet/Security/prodtech/win2...
> > /win2khg/05sconfg.mspx --
> >>chapter 5 W2SHG.
> >>
> >>"Ping" <anonymous@discussions.microsoft.com> wrote in
> > message
> >>news:09bf01c4848f$c4c856b0$a301280a@phx.gbl...
> >>> Does anyone know how to disable null sessions on domain
> >>> controllers?
> >>>
> >>> Our auditors told us to turn off
> >>> nullsessionpipes\nullsessionshares on our domain
> >>> controllers.
> >>>
> >>> But they didn't tell us what values to set them to.
> >>> Would anyone know?
> >>>
> >>> Thanks!
> >>
> >>
> >>.
> >>
>
>
Anonymous
a b 8 Security
August 19, 2004 9:00:47 AM

Archived from groups: microsoft.public.win2000.security (More info?)

Hi Karl.

I wonder why setting of " 2 " was abandoned? My guess is that maybe it resulted in a
lot of support calls from users who implemented it often from security templates
[such as the NSA ones] without investigating the ramifications first or because W2003
offers about six related settings for more granular control of anonymous access
offering almost the same. Interesting enough at least one version of MBSA would
instruct users to implement the " 2 "setting without mentioning any side affects. I
have been playing around with XP SP2 and it actually warns you if you are going to
make a change to a security setting that may cause a conflict with other operating
systems and refers you to a related KB article - very nice! I had most of the
GPO/security policy settings memorized for W2K but now with XP SP2 it is a whole new
game with a mind boggling selection of policy settings. --- Steve


"Karl Levinson [x y] mvp" <levinson_k@despammed.com> wrote in message
news:eZVOoSahEHA.3548@TK2MSFTNGP09.phx.gbl...
>I agree that Restrictanonymous = 1 is usually safe. However, it doesn't
> disable null sessions, a lot of useful information can still be enumerated.
> You can read an article on this and download the getacct123 tool to see
> exactly what data is visible by going to www.securityfriday.com
>
> Using restrictanonymous = 2 breaks some things, most notably if you have any
> Win9x, ME or NT clients or servers requiring authentication.
>
> Note that Windows 2000 is the ONLY OS that uses Restrictanonymous = 2.
> Windows 2003 and XP only give you options of 0 and 1, and use a second
> registry value called RestrictAnonymousSAM that can also either be 0 or 1.
>
>
>
> "Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net> wrote in message
> news:wdNUc.40547$TI1.4170@attbi_s52...
>> Ok. Glad you found out what you needed. The W2KSHG is a pretty good
> resource. As far
>> as "additional restrictions for anonymous connections" the setting for "do
> not allow
>> enumeration of sam account and shares" [ same as registry setting of 1 ]
> is usually
>> safe to implement and very similar to how Windows 2003 Server is
> configured to
>> restrict anonymous access. --- Steve
>>
>>
>> "Ping" <anonymous@discussions.microsoft.com> wrote in message
>> news:113b01c48525$25ac0090$a301280a@phx.gbl...
>> > Thanks Steve,
>> > there was a paragraph in the Windows Server Hardening
>> > guide that covered dsiabling nullsessionhares and
>> > nullsessionpipes that was helpful.
>> >
>> > I don't know about that restricting anonymous access KB
>> > article tho, that looks scary.
>> >
>> >
>> >>-----Original Message-----
>> >>Apparently they don't know how to do it. Kind of like
>> > going to a doctor and he tells
>> >>you that you are sick but not what to do.
>> >>
>> >>Here is a KB that discusses the use of those a bit.
>> >>
>> >>http://support.microsoft.com/default.aspx?kbid=289655
>> >>
>> >>There is a setting in Domain Controller Security Policy
>> > security options for
>> >>additional restrictions for anonymous connection that if
>> > you set to no access without
>> >>explicit anonymous permissions will disable the ability
>> > to use null shares/named
>> >>pipes HOWEVER this can break things in a domain and cause
>> > problems with downlevel
>> >>trusts, network browsing, and even changing passwords
>> > before logging on particularly
>> >>if downlevel [NT, W9X] and even XP Pro computers are
>> > used. I wonder if they knew that
>> >>before they told you to turn it off. The KB below
>> > explains restricting anonymous
>> >>access and the possible ramifications.
>> >>
>> >>http://support.microsoft.com/?kbid=246261 -- pay
>> > attention to "The following tasks
>> >>are restricted when the RestrictAnonymous registry value
>> > is set to 2 on a Windows
>> >>2000-based domain controller"
>> >>
>> >>The Windows 2000 Security Hardening Guide also has more
>> > info on W2K security,
>> >>including recommendations for specific networking
>> > configurations. --- Steve
>> >>
>> >>http://www.microsoft.com/technet/Security/prodtech/win2...
>> > /win2khg/05sconfg.mspx --
>> >>chapter 5 W2SHG.
>> >>
>> >>"Ping" <anonymous@discussions.microsoft.com> wrote in
>> > message
>> >>news:09bf01c4848f$c4c856b0$a301280a@phx.gbl...
>> >>> Does anyone know how to disable null sessions on domain
>> >>> controllers?
>> >>>
>> >>> Our auditors told us to turn off
>> >>> nullsessionpipes\nullsessionshares on our domain
>> >>> controllers.
>> >>>
>> >>> But they didn't tell us what values to set them to.
>> >>> Would anyone know?
>> >>>
>> >>> Thanks!
>> >>
>> >>
>> >>.
>> >>
>>
>>
>
>
Anonymous
a b 8 Security
August 19, 2004 11:23:38 AM

Archived from groups: microsoft.public.win2000.security (More info?)

I think your comment about "granular control" is the key. While
changing these settings every time a new OS is released is annoying, I
would think the advantage to having two different binary values
instead of one multiple choice value is that you can configure each
one independently if you wish.

I'm not sure if that's relevant or meaningful in this current example,
e.g. whether configuring RestrictAnonymousSAM = 1 but
RestrictAnonymous = 0 would make a difference or not.


"Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net> wrote in message news:<3uWUc.278211$a24.9311@attbi_s03>...
> Hi Karl.
>
> I wonder why setting of " 2 " was abandoned? My guess is that maybe it resulted in a
> lot of support calls from users who implemented it often from security templates
> [such as the NSA ones] without investigating the ramifications first or because W2003
> offers about six related settings for more granular control of anonymous access
> offering almost the same.
Anonymous
a b 8 Security
August 19, 2004 8:26:16 PM

Archived from groups: microsoft.public.win2000.security (More info?)

Interestingly I ran a little test. In addition to the tool you mention, Superscan4
from Foundstone can also enumerate using a null session. For W2K a setting of " 2 "
blocks everything, however the setting of " 1 " still allows enumeration of user
accounts, groups, shares, and password/account lockout policy or in other words it
does not prevent anonymous enumeration of sam account and shares as the settings
suggests and as you indicate. Not only does it allow enumeration of users and groups
but gives detailed account properties for the account and groups show group
membership. I could not really find any reason using Supercan4 to use setting " 1 "
over setting " 0 " for W2K while a setting of " 2 " can cause problems in mixed
network configurations. For W2K it seems to be an all or nothing trap.

Windows 2003 however shows that in default security configuration of " do not allow
anonymous enumeration of sam account " it actually works as advertised and I was not
able to obtain and user, group, or password/account policy information - only
enumeration of shares. When I also enabled " do not allow anonymous enumeration of
sam account and sharers" for Windows 2003 I saw no difference and was still able to
enumerate shares though to me that is a lot less important information to an attacker
than detailed user, group, password/account information. --- Steve


"Karl Levinson [x y] mvp" <levinson_k@despammed.com> wrote in message
news:e51f18d1.0408190623.742429e@posting.google.com...
>I think your comment about "granular control" is the key. While
> changing these settings every time a new OS is released is annoying, I
> would think the advantage to having two different binary values
> instead of one multiple choice value is that you can configure each
> one independently if you wish.
>
> I'm not sure if that's relevant or meaningful in this current example,
> e.g. whether configuring RestrictAnonymousSAM = 1 but
> RestrictAnonymous = 0 would make a difference or not.
>
>
> "Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net> wrote in message
> news:<3uWUc.278211$a24.9311@attbi_s03>...
>> Hi Karl.
>>
>> I wonder why setting of " 2 " was abandoned? My guess is that maybe it resulted
>> in a
>> lot of support calls from users who implemented it often from security templates
>> [such as the NSA ones] without investigating the ramifications first or because
>> W2003
>> offers about six related settings for more granular control of anonymous access
>> offering almost the same.
!