none
Domain controller smb null session enumeration RRS feed

  • Question

  • Hi Guys,

    what is Domain controller smb null session enumeration, my security team raise concern about this at saying that it is type of vulnerability that need to fix asap.

    I just wanted to know what will be impact of this we are going to fix this vulnerability and what will be step to achieve this task

    Reagrds,

    Triyambak


    Regards, Triyambak

    Thursday, August 25, 2016 9:53 AM

Answers

  • Hi,

    Thanks for your post.

    First, you could go through the following article to get more information about Null Session enumeration.

    Null Session Domain Controller Enumeration

    http://inner-tech.blogspot.sg/2015/09/null-session-domain-controller.html

    Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.

    By default null sessions (unauthenticated ) are enabled on windows 2000 and 2003 servers . As a result anyone can use these NULL connections to enumerate potentially sensitive information from the servers. Null session vulnerability is disabled on fresh Windows 2008 and earlier versions.

    Please refer to the following steps to disable SMB/NETBIOS NULL Session on domain controllers using group policy.

    Applies to : Windows 2008, windows 2008 r2 and Windows 2012/R2

    Step 1 : Apply below group policy settings to Default Domain Controller policy object or to the GPO object that is applied to your domain controllers.

    Edit GPO- Go to Computer configuration\Policies\Windows settings\Security Settings\Local Policies\SecurityOptions

    Enable:
    Network access: Restrict Anonymous access to Named Pipes and Shares
    Network access: Do not allow anonymous enumeration of SAM accounts
    Network access: Do not allow anonymous enumeration of SAM accounts and shares
    Network access: Shares that can be accessed anonymously
    Disable:
    Network access: Let Everyone permissions apply to anonymous users
    Network access: Allow anonymous SID/Name translation

    Step 2 : Update the registry key values to restrict null session as below:

    HKEY\SYSTEM\CurrentControlSet\Control\Lsa:
    RestrictAnonymous = 1
    Restrict AnonymousSAM = 1
    EveryoneIncludesAnonymous = 0

    Best Regards,

    Alvin Wang


    Please remember to mark the replies as an answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, August 26, 2016 2:15 AM
    Moderator

All replies

  • Hi,

    Thanks for your post.

    First, you could go through the following article to get more information about Null Session enumeration.

    Null Session Domain Controller Enumeration

    http://inner-tech.blogspot.sg/2015/09/null-session-domain-controller.html

    Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.

    By default null sessions (unauthenticated ) are enabled on windows 2000 and 2003 servers . As a result anyone can use these NULL connections to enumerate potentially sensitive information from the servers. Null session vulnerability is disabled on fresh Windows 2008 and earlier versions.

    Please refer to the following steps to disable SMB/NETBIOS NULL Session on domain controllers using group policy.

    Applies to : Windows 2008, windows 2008 r2 and Windows 2012/R2

    Step 1 : Apply below group policy settings to Default Domain Controller policy object or to the GPO object that is applied to your domain controllers.

    Edit GPO- Go to Computer configuration\Policies\Windows settings\Security Settings\Local Policies\SecurityOptions

    Enable:
    Network access: Restrict Anonymous access to Named Pipes and Shares
    Network access: Do not allow anonymous enumeration of SAM accounts
    Network access: Do not allow anonymous enumeration of SAM accounts and shares
    Network access: Shares that can be accessed anonymously
    Disable:
    Network access: Let Everyone permissions apply to anonymous users
    Network access: Allow anonymous SID/Name translation

    Step 2 : Update the registry key values to restrict null session as below:

    HKEY\SYSTEM\CurrentControlSet\Control\Lsa:
    RestrictAnonymous = 1
    Restrict AnonymousSAM = 1
    EveryoneIncludesAnonymous = 0

    Best Regards,

    Alvin Wang


    Please remember to mark the replies as an answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, August 26, 2016 2:15 AM
    Moderator
  • Hi,

    Just checking in to see if the information provided was helpful. Please let us know if you would like further assistance.

    Best Regards,

    Alvin Wang


    Please remember to mark the replies as an answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, August 29, 2016 9:27 AM
    Moderator
  • Thanks for the response ,

    Just wanted to conform do we need to apply GPO as well as registry setting in all the domain controller.

    1:- if I do the changes on default domian controller policy it will be applies in all dcs

    2:- do we need to change registry as well in all dcs 

    Regards,

    Triyambak


    Regards, Triyambak

    Thursday, October 6, 2016 2:10 AM
  • Hi Triyambak,

    The answers to your questions are yes and yes.

    Best Regards,

    Alvin Wang


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, October 6, 2016 3:09 AM
    Moderator
  • Thanks , just wanted to know what will be impact if i implement these on our domain controllers. wanted to sure before doing the changes in dcs

    Enable:
    Network access: Restrict Anonymous access to Named Pipes and Shares
    Network access: Do not allow anonymous enumeration of SAM accounts
    Network access: Do not allow anonymous enumeration of SAM accounts and shares
    Network access: Shares that can be accessed anonymously
    Disable:
    Network access: Let Everyone permissions apply to anonymous users
    Network access: Allow anonymous SID/Name translation

    Step 2 : Update the registry key values to restrict null session as below:

    HKEY\SYSTEM\CurrentControlSet\Control\Lsa:
    RestrictAnonymous = 1
    Restrict AnonymousSAM = 1
    EveryoneIncludesAnonymous = 0


    Regards, Triyambak

    Thursday, October 6, 2016 5:32 AM
  • Hi,

    As far as I know, there is no any impact.

    Best Regards,

    Alvin Wang


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, October 10, 2016 3:07 AM
    Moderator