Our Qualys scan shows "null session / password NetBIOS Access" and "NetBIOS Remote User List Disclosure" on Windows 2008 R2 domain controller.
To avoid this vulnerability, I had to make the following changes to the local computer policy on the domain controller:
- Network: anonymous SID / Name translation - Disabled
- Network access: Do not allow anonymous enumeration of SAM accounts - Enabled
- Network access: Do not allow anonymous enumeration of SAM accounts and shares - Enabled
- Network access: Let Everyone permissions apply to anonymous users - Disabled
- Network access: Named Pipes that can be accessed anonymously - None
- Network access: Shares that can be accessed anonymously - None
the default value of "Network access: Named Pipes that can be accessed anonymously" was netlogon, SAMR and lsarpc. After I had removed this the vulnerabilities were no longer displayed in the scan.
Does this affect the operation of the 2008 R2 domain controller?
Any help and links to documentation on this subject would be appreciated. Thanks
- Changed type Tim QuanModerator Friday, April 08, 2011 6:27 AM
I ran into this same issue and was wondering the same. I'm about to try it out in test, but still nervous about production. OP, did the changes make any difference in your environment?
I found that simply removing "samr" from "Network access: Named Pipes that can be accessed anonymously" seemed to prevent the dumping of usernames from anonymous, non-domain accounts including the Qualys scan. Additionally, these settings help (all should be default):
When I try to do that test, here's what I'm getting:
System error 1219 has occurred.
Multiple connections to a server or shared resource by the same user, using more than one user name, are not allowed. Disconnect all previous connections to the server or shared resource and try again..
Does that means it is secured already ?
/* Server Support Specialist */
I had a similar problem and spent a good while trying to find a solution. We tried removing "samr" from the named pipes but that caused issues with forcing users to change passwords after a password reset.
In the end, I found an article about pre-Windows 2000 compatible access and anonymous logons (can't paste link yet). I removed "Anonymous Logon" from the built-in domain group "Pre-Windows 2000 Compatible Access" group, re-ran the Qualys scan and the vulnerabilities were resolved. As we've no pre-Windows 2003/XP computers on our site, we've encountered no problems so far.
Hope this helps.