none
Qualys scan shows "null session / password NetBIOS Access"

    General discussion

  • Greetings,

    Our Qualys scan shows "null session / password NetBIOS Access" and "NetBIOS Remote User List Disclosure" on Windows 2008 R2 domain controller.

    To avoid this vulnerability, I had to make the following changes to the local computer policy on the domain controller:

    • Network: anonymous SID / Name translation - Disabled
    • Network access: Do not allow anonymous enumeration of SAM accounts - Enabled
    • Network access: Do not allow anonymous enumeration of SAM accounts and shares - Enabled
    • Network access: Let Everyone permissions apply to anonymous users - Disabled
    • Network access: Named Pipes that can be accessed anonymously - None
    • Network access: Shares that can be accessed anonymously - None

    the default value of "Network access: Named Pipes that can be accessed anonymously" was netlogon, SAMR and lsarpc. After I had removed this the vulnerabilities were no longer displayed in the scan.

    Does this affect the operation of the 2008 R2 domain controller?

    Any help and links to documentation on this subject would be appreciated. Thanks

    Wednesday, March 16, 2011 12:51 PM

All replies

  • I ran into this same issue and was wondering the same.  I'm about to try it out in test, but still nervous about production.  OP, did the changes make any difference in your environment?
    Wednesday, March 23, 2011 1:18 PM
  • Hello Josh,

    We use this on one DC in a production environment and have no complaints so far. We do have multiple domain controllers, so I still can't be sure if everything works ok with this settings aplied on all the dc's. 

    Friday, April 08, 2011 6:50 AM
  • I found that simply removing "samr" from "Network access: Named Pipes that can be accessed anonymously" seemed to prevent the dumping of usernames from anonymous, non-domain accounts including the Qualys scan.  Additionally, these settings help (all should be default):

     

    • Network access: Allow anonymous SID / Name translation - Disabled
    • Network access: Do not allow anonymous enumeration of SAM accounts - Enabled
    • Network access: Do not allow anonymous enumeration of SAM accounts and shares - Disabled (seems to have no effect if Enabled as far as the scans go)
    • Network access: Let Everyone permissions apply to anonymous users - Disabled
    • Network access: Shares that can be accessed anonymously - None

     

     


    Thursday, April 14, 2011 1:57 PM
  • Were you able to test Null Session access to the IPC$ share (net use \\<domain controller>\ipc$ "" /u:"") and determine that anonymous access was in fact dissallowed?

     

    Friday, April 15, 2011 3:41 PM
  • Hi man,

    When I try to do that test, here's what I'm getting:

    System error 1219 has occurred.

    Multiple connections to a server or shared resource by the same user, using more than one user name, are not allowed. Disconnect all previous connections to the server or shared resource and try again..

    Does that means it is secured already ?


    /* Server Support Specialist */

    Saturday, March 03, 2012 1:51 AM
  • Josh, is that settings defined in the GPO - Default Domain Controllers Policy ?

    /* Server Support Specialist */

    Saturday, March 03, 2012 1:53 AM
  • Hi.

    I had a similar problem and spent a good while trying to find a solution. We tried removing "samr" from the named pipes but that caused issues with forcing users to change passwords after a password reset.

    In the end, I found an article about pre-Windows 2000 compatible access and anonymous logons (can't paste link yet). I removed "Anonymous Logon" from the built-in domain group "Pre-Windows 2000 Compatible Access" group, re-ran the Qualys scan and the vulnerabilities were resolved. As we've no pre-Windows 2003/XP computers on our site, we've encountered no problems so far.

    Hope this helps.

    J.

    Thursday, April 04, 2013 1:17 PM