Null Session/Anonymous Logons

I ran a network security vulnerability scan against a Windows 2000 DC. One of the vulnerabilities obtained was the "null session", but the most worrisome thing was that it listed all accounts name with same password as the logon name, and reverse logon name. As I know the passwords on w2000 server are encrypted and the question is how could is possible to find out the above mentioned passwords and it means that the passwords for the other accounts are vulnerable in spite of encryption. And another question, what kind of services or applications would be affected if I close the null session? I know it must be tested but kind of experience in dealing with this issue would be very helpful.

Thank you
destiny777Asked:
Who is Participating?
 
Yan_westCommented:
For DCS, you should put a value of 1 and the replication will not be affected.. I know of no application that uses null sessions btw.. I've never heard of anyone having problem with the disabling of null session capabilities on their network..
0
 
Yan_westCommented:
Using Dictionnary attack / Brute force, I can find 80% of the passwords in a 120 users domain btw in about 1 hours.. the only protection against that would be to enable the "force strong password" policy..
0
 
Yan_westCommented:
Is your 2000 DC fully patched up to SP4?
0
Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

 
destiny777Author Commented:
yes it is, and I run the scan as regular user
0
 
Yan_westCommented:
Use Registry Editor to find the following registry key, and then add
        (or modify) the following value

      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA

      Value: RestrictAnonymous
      Value Type: REG_DWORD
      Value Data: 0x2 (Hex)

       RestrictAnonymous is set by changing the registry key to 0 or 1 for
       Windows NT 4.0 or to 0, 1, or 2 for Windows 2000. These numbers
       correspond to the following settings:

      0 None. Rely on default permissions (ie. allow Null Session
      1 Do not allow enumeration of SAM accounts and names
      2 No access without explicit anonymous permissions

Here, my setup is at 1, because of some application, and it'S better then 0..
0
 
Yan_westCommented:
The problem with putting 2 btw was with our exchange server, apart from that, everything was running fine with it.. there is no danger putting it to 2.. after, you can always get it back to 1 if something stops working.
0
 
Yan_westCommented:
Interesting read about this vulnerability and windows system:

http://ist.uwaterloo.ca/security/vulnerable/20030807.note
0
 
Yan_westCommented:
"BEWARE -- We understand that Windows 2000 Domain Controllers should set the
   value to 1 (not 2) if they manage a mixed environment -- eg. if they have
   any trust relationships with NT4 Domains"
0
 
destiny777Author Commented:
I went through Microsoft KB articles 143474 and 246261 which tell how to change the settings for null session, this is no my concern, but because my network runs multtiple applications I am concerned of the impact of disabling null session
0
 
Yan_westCommented:
We also run multiple application, including exchange, Intranet, and lots of other, and didnt run in any problem. If you application are home made, you should know if they are using null authentification. I doubt it will affect how your application are working with a value of 1...
0
 
destiny777Author Commented:
It's rather a business network. The replication services between DCs will be afected? What applications are using null session?
0
 
destiny777Author Commented:
One question, what is "known" bennefit or use of anonymous logon, what services or application can't live witout it?
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.