locked
Disabling Null Sessions on Windows Server 2003/2008 RRS feed

  • Question

  • Hi All,

    I recently came to know about "Null Session Access" which applies to Windows Server 2003/2008 environments. My understanding is, As originally designed, connecting to a IPC share of a System via SMB protocol is used for System Processes to communicate. Attackers takes this an option and try to create a null session and gains the access. Basically for Windows Systems to work these null sessions are needed for Systems (for internal commnication) but should not be allowed while using any tools or explicitly by an user. Is my understanding correct?

    So, I'm planning not to do the registry changes directly on Domain Controllers, instead im planning to use GPO. Is this supported? Are there any instances which broke the DC's after enabling these settings on DC's? I found the GPO settings via another post. This answer was given by MSFT professional karen on similiar post http://social.technet.microsoft.com/Forums/en-US/winservergen/thread/841523db-8c4b-43a0-9f28-be7270f92e2b


    After enabling these policies on Domain Controllers, can system processes continue to create null sessions and only explicit trying would be blocked? or both of them will be disabled?

    If both of them will be disabled,what is the recommended from MS to avoid explicit null sessions on Domain Controllers?

    My environment is Windows XP,Server 2003,2008 envrionment, my trusted domains are in windows 2000,windows server 2003,2008 functional levels.

    Thanks for yout time in this..


    Regards, Mohan R Sr. Administrator - Server Support

    Sunday, July 1, 2012 4:37 PM

Answers

  • Hi,

    A null session is an unauthenticated connection to a Windows 2000 or a Windows NT-based computer. A null session can be used to access the SMB APIs remotely. Null sessions are also referred to as null session connections, anonymous logon, and anonymous connections. In Windows 2000 and Windows NT environments, null sessions are used to gather information about the following:

    • Network information
    • Shares
    • Users and groups
    • Registry keys

    Null sessions are a weakness that can be exploited through the various shares on the computers in your environment.

    It is advisable to set Network access: Restrict anonymous access to Named Pipes and Shares to Enabled. Enabling this policy setting restricts null session access to unauthenticated users to all server pipes and shares except those listed in the NullSessionPipes and NullSessionShares registry entries.

    This setting controls null session access to shares on your computers by adding the registry entry RestrictNullSessAccess with the value 1 to the registry key HKLM\System\CurrentControlSet\Services\LanManServer\Parameters. This registry entry toggles null session shares on or off to determine whether the Server service restricts access to clients that have logged on to the System account without user name and password authentication.

    > After enabling these policies on Domain Controllers, can system processes continue to create null sessions
    > and only explicit trying would be blocked? or both of them will be disabled?

    If you set “Network access: Restrict anonymous access to Named Pipes and Shares to Enabled”, you restrict null session access to unauthenticated users to all server pipes and shares except those listed in the NullSessionPipes and NullSessionShares registry entries.

    But if you set 6 Group Policies follow the method in the link you provide, you disable all null session access.

    For more information please refer to following MS articles:

    The effects of removing null sessions from the Microsoft Windows 2000 and Microsoft Windows NT environment
    http://support.microsoft.com/kb/890161
    Local Policy Settings
    http://technet.microsoft.com/de-de/library/cc772979%28WS.10%29.aspx#w2k3tr_sepol_local_set_lyzw
    How to restrict access to the registry from a remote computer
    http://support.microsoft.com/kb/153183


    Lawrence

    TechNet Community Support

    • Marked as answer by Lawrence, Monday, July 16, 2012 8:44 AM
    Monday, July 2, 2012 3:13 AM

All replies

  • Hi,

    A null session is an unauthenticated connection to a Windows 2000 or a Windows NT-based computer. A null session can be used to access the SMB APIs remotely. Null sessions are also referred to as null session connections, anonymous logon, and anonymous connections. In Windows 2000 and Windows NT environments, null sessions are used to gather information about the following:

    • Network information
    • Shares
    • Users and groups
    • Registry keys

    Null sessions are a weakness that can be exploited through the various shares on the computers in your environment.

    It is advisable to set Network access: Restrict anonymous access to Named Pipes and Shares to Enabled. Enabling this policy setting restricts null session access to unauthenticated users to all server pipes and shares except those listed in the NullSessionPipes and NullSessionShares registry entries.

    This setting controls null session access to shares on your computers by adding the registry entry RestrictNullSessAccess with the value 1 to the registry key HKLM\System\CurrentControlSet\Services\LanManServer\Parameters. This registry entry toggles null session shares on or off to determine whether the Server service restricts access to clients that have logged on to the System account without user name and password authentication.

    > After enabling these policies on Domain Controllers, can system processes continue to create null sessions
    > and only explicit trying would be blocked? or both of them will be disabled?

    If you set “Network access: Restrict anonymous access to Named Pipes and Shares to Enabled”, you restrict null session access to unauthenticated users to all server pipes and shares except those listed in the NullSessionPipes and NullSessionShares registry entries.

    But if you set 6 Group Policies follow the method in the link you provide, you disable all null session access.

    For more information please refer to following MS articles:

    The effects of removing null sessions from the Microsoft Windows 2000 and Microsoft Windows NT environment
    http://support.microsoft.com/kb/890161
    Local Policy Settings
    http://technet.microsoft.com/de-de/library/cc772979%28WS.10%29.aspx#w2k3tr_sepol_local_set_lyzw
    How to restrict access to the registry from a remote computer
    http://support.microsoft.com/kb/153183


    Lawrence

    TechNet Community Support

    • Marked as answer by Lawrence, Monday, July 16, 2012 8:44 AM
    Monday, July 2, 2012 3:13 AM
  • How to disable SMB/NETBIOS NULL Session on domain controllers

    http://seneej.com/2015/07/29/how-to-disable-smbnetbios-null-session-on-domain-controllers/


    Wednesday, July 29, 2015 5:30 AM