We value your feedback.
Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!
Course Of The Month
4 days, 9 hours left to enrollBecome a Premium Member and unlock a new, free course in leading technologies each month.
Solved
Null Session/Anonymous Logons
Posted on 2004-09-24
I ran a network security vulnerability scan against a Windows 2000 DC. One of the vulnerabilities obtained was the "null session", but the most worrisome thing was that it listed all accounts name with same password as the logon name, and reverse logon name. As I know the passwords on w2000 server are encrypted and the question is how could is possible to find out the above mentioned passwords and it means that the passwords for the other accounts are vulnerable in spite of encryption. And another question, what kind of services or applications would be affected if I close the null session? I know it must be tested but kind of experience in dealing with this issue would be very helpful.
Thank you
Thank you
[X]
Welcome to Experts Exchange
Add your voice to the tech community where 5M+ people just like you are talking about what matters.
- Help others & share knowledge
- Earn cash & points
- Learn & ask questions
-
8
-
4
14 Comments
Using Dictionnary attack / Brute force, I can find 80% of the passwords in a 120 users domain btw in about 1 hours.. the only protection against that would be to enable the "force strong password" policy..
Use Registry Editor to find the following registry key, and then add
(or modify) the following value
HKEY_LOCAL_MACHINE\SYSTEM\
Value: RestrictAnonymous
Value Type: REG_DWORD
Value Data: 0x2 (Hex)
RestrictAnonymous is set by changing the registry key to 0 or 1 for
Windows NT 4.0 or to 0, 1, or 2 for Windows 2000. These numbers
correspond to the following settings:
0 None. Rely on default permissions (ie. allow Null Session
1 Do not allow enumeration of SAM accounts and names
2 No access without explicit anonymous permissions
Here, my setup is at 1, because of some application, and it'S better then 0..
(or modify) the following value
HKEY_LOCAL_MACHINE\SYSTEM\
Value: RestrictAnonymous
Value Type: REG_DWORD
Value Data: 0x2 (Hex)
RestrictAnonymous is set by changing the registry key to 0 or 1 for
Windows NT 4.0 or to 0, 1, or 2 for Windows 2000. These numbers
correspond to the following settings:
0 None. Rely on default permissions (ie. allow Null Session
1 Do not allow enumeration of SAM accounts and names
2 No access without explicit anonymous permissions
Here, my setup is at 1, because of some application, and it'S better then 0..
The problem with putting 2 btw was with our exchange server, apart from that, everything was running fine with it.. there is no danger putting it to 2.. after, you can always get it back to 1 if something stops working.
Interesting read about this vulnerability and windows system:
http://ist.uwaterloo.ca/security/vulnerable/20030807.note
http://ist.uwaterloo.ca/security/vulnerable/20030807.note
"BEWARE -- We understand that Windows 2000 Domain Controllers should set the
value to 1 (not 2) if they manage a mixed environment -- eg. if they have
any trust relationships with NT4 Domains"
value to 1 (not 2) if they manage a mixed environment -- eg. if they have
any trust relationships with NT4 Domains"
I went through Microsoft KB articles 143474 and 246261 which tell how to change the settings for null session, this is no my concern, but because my network runs multtiple applications I am concerned of the impact of disabling null session
We also run multiple application, including exchange, Intranet, and lots of other, and didnt run in any problem. If you application are home made, you should know if they are using null authentification. I doubt it will affect how your application are working with a value of 1...
It's rather a business network. The replication services between DCs will be afected? What applications are using null session?
Featured Post
Websites are getting bigger and complicated by the day. Video, images, custom fonts are all great for showcasing your product/service. But the price to pay in terms of reduced page load times and ultimately, decreased sales, can lead to some difficult decisions about what to cut.
Question has a verified solution.
If you are experiencing a similar issue, please ask a related question
Downtime reduced, data recovered by utilizing an Experts Exchange Business Account
Challenge
The United States Marine Corps employs more than 200,000 active-duty Marines with operations in four continents, all requiring complex networking system…
Are you one of those front-line IT Service Desk staff fielding calls, replying to emails, all-the-while working to resolve end-user technological nightmares? I am! That's why I have put together this brief overview of tools and techniques I use in o…
There's a multitude of different network monitoring solutions out there, and you're probably wondering what makes NetCrunch so special.
It's completely agentless, but does let you create an agent, if you desire.
It offers powerful scalability …
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…
Suggested Courses
Course of the Month4 days, 9 hours left to enroll
Earn Certification
MTA Mobility Device Fundamentals (Exam 98-368)
$59.00$53.10
Earn Certification
MTA Networking Fundamentals Exam 98-366
$59.00$53.10
689 members asked questions and received personalized solutions in the past 7 days.
Join the community of 500,000 technology professionals and ask your questions.