Null Session Fix not working on Domain Controllers

[Guest]

Archived from groups: microsoft.public.win2000.security (More info?)

We have been setting the registry in
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA by setting
RestrictAnonymous to 1 as a standard practice. This prevents usernames and
shares from being enumerated on member servers but on domain controllers we
are still able to enumerate just the usernames. Setting to 2 causes some
applications to fail.

Saw a link to an article in the knowledgebase but it leads to an "article no
longer found".

Suggestions?

Thanks!

 

[Guest]

Archived from groups: microsoft.public.win2000.security (More info?)

I think this is relevant link you're probably looking for:

How to Use the RestrictAnonymous Registry Value in Windows 2000
http://support.microsoft.com/default.aspx?kbid=246261


"Nevada_Paul" wrote:

> We have been setting the registry in
> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA by setting
> RestrictAnonymous to 1 as a standard practice. This prevents usernames and
> shares from being enumerated on member servers but on domain controllers we
> are still able to enumerate just the usernames. Setting to 2 causes some
> applications to fail.
>
> Saw a link to an article in the knowledgebase but it leads to an "article no
> longer found".
>
> Suggestions?
>
> Thanks!

 

[Guest]

Archived from groups: microsoft.public.win2000.security (More info?)

Thanks Les. I've seen that particular article. In article 143474 there is a
sentence that says:

830070 Anonymous access using Null Session possible after you configure the
registry to restrict remote access

That is the problem we are experiencing ONLY on domain controllers after
making the registry changes that says specifically "1 Do Not Allow
enumeration of SAM accounts and names". Again, setting it to 2 breaks
internal applications.

Paul



"Les Arrowman" wrote:

> I think this is relevant link you're probably looking for:
>
> How to Use the RestrictAnonymous Registry Value in Windows 2000
> http://support.microsoft.com/default.aspx?kbid=246261
>
>
> "Nevada_Paul" wrote:
>
> > We have been setting the registry in
> > HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA by setting
> > RestrictAnonymous to 1 as a standard practice. This prevents usernames and
> > shares from being enumerated on member servers but on domain controllers we
> > are still able to enumerate just the usernames. Setting to 2 causes some
> > applications to fail.
> >
> > Saw a link to an article in the knowledgebase but it leads to an "article no
> > longer found".
> >
> > Suggestions?
> >
> > Thanks!

 

[Guest]

Archived from groups: microsoft.public.win2000.security (More info?)

The "2" setting is not suggested on domain controllers. If you are enforcing
strong passwords on the network, auditing for failed logon attempts, and use
a firewall to protect your network I would not worry about null sessions.
Domain controllers also tend to be master or domain master browsers [pdc
fsmo for sure] and the "2" setting can also cause problems with the browse
list if you use My Network Places. The Windows 2000 Security Hardening
Guide, Windows 2003 Security Guide, and Threats and Countermeasures Guide
have more information and recommendations on that particular security option
and all the others. --- Steve

http://www.infosec.uga.edu/windows.html -- links to Windows Security Guides

"Nevada_Paul" <NevadaPaul@discussions.microsoft.com> wrote in message
news:46808952-BD1F-4C82-B5BF-C9F9F81ED6AC@microsoft.com...
> We have been setting the registry in
> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA by setting
> RestrictAnonymous to 1 as a standard practice. This prevents usernames
> and
> shares from being enumerated on member servers but on domain controllers
> we
> are still able to enumerate just the usernames. Setting to 2 causes some
> applications to fail.
>
> Saw a link to an article in the knowledgebase but it leads to an "article
> no
> longer found".
>
> Suggestions?
>
> Thanks!

 

[Guest]

Archived from groups: microsoft.public.win2000.security (More info?)

I seem to recall hearing 1 was disallowed on DCs due to breaking things on
clients that use anonymous connections to pull up various security dialog boxes
and such on clients. Completely valid traffic basically.

joe

--
Joe Richards Microsoft MVP Windows Server Directory Services
www.joeware.net


Nevada_Paul wrote:
> We have been setting the registry in
> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA by setting
> RestrictAnonymous to 1 as a standard practice. This prevents usernames and
> shares from being enumerated on member servers but on domain controllers we
> are still able to enumerate just the usernames. Setting to 2 causes some
> applications to fail.
>
> Saw a link to an article in the knowledgebase but it leads to an "article no
> longer found".
>
> Suggestions?
>
> Thanks!

 

[Guest]

Archived from groups: microsoft.public.win2000.security (More info?)

"Nevada_Paul" <NevadaPaul@discussions.microsoft.com> wrote in message
news:46808952-BD1F-4C82-B5BF-C9F9F81ED6AC@microsoft.com...
> We have been setting the registry in
> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA by setting
> RestrictAnonymous to 1 as a standard practice. This prevents usernames
and
> shares from being enumerated on member servers but on domain controllers
we
> are still able to enumerate just the usernames. Setting to 2 causes some
> applications to fail.

Actually, I don't think 1 prevents usernames and shares from being
enumerated on any system, as long as you are using the right tool to get
that information. Setting it to 1 breaks some enumeration tools, but not
others. www.securityfriday.com has an article on what this does and does
not do, as well as the excellent getacct tool to test whether this setting
really is preventing enumeration of users on your workstations. The Windows
2000 group policy guide #3 at www.nsa.gov/snac also has a bit of
information.

Note that Restrictanonymous=2 as a setting only exists in Windows 2000. In
NT, XP and 2003, 1 is the highest setting, and in the latter two there is a
second setting called RestrictAnonymousSam that does the rest. You want to
be sure not to apply any group policy templates for, say, Windows 2000, to
any other operating system and vice versa due to changes like this, as the
results can be undesirable.