I ran a network security vulnerability scan against a Windows 2000 DC. One of the vulnerabilities obtained was the "null session", but the most worrisome thing was that it listed all accounts name with same password as the logon name, and reverse logon name. As I know the passwords on w2000 server are encrypted and the question is how could is possible to find out the above mentioned passwords and it means that the passwords for the other accounts are vulnerable in spite of encryption. And another question, what kind of services or applications would be affected if I close the null session? I know it must be tested but kind of experience in dealing with this issue would be very helpful.
Using Dictionnary attack / Brute force, I can find 80% of the passwords in a 120 users domain btw in about 1 hours.. the only protection against that would be to enable the "force strong password" policy..
Value: RestrictAnonymous
Value Type: REG_DWORD
Value Data: 0x2 (Hex)
RestrictAnonymous is set by changing the registry key to 0 or 1 for
Windows NT 4.0 or to 0, 1, or 2 for Windows 2000. These numbers
correspond to the following settings:
0 None. Rely on default permissions (ie. allow Null Session
1 Do not allow enumeration of SAM accounts and names
2 No access without explicit anonymous permissions
Here, my setup is at 1, because of some application, and it'S better then 0..
The problem with putting 2 btw was with our exchange server, apart from that, everything was running fine with it.. there is no danger putting it to 2.. after, you can always get it back to 1 if something stops working.
"BEWARE -- We understand that Windows 2000 Domain Controllers should set the
value to 1 (not 2) if they manage a mixed environment -- eg. if they have
any trust relationships with NT4 Domains"
0
destiny777Author Commented:
I went through Microsoft KB articles 143474 and 246261 which tell how to change the settings for null session, this is no my concern, but because my network runs multtiple applications I am concerned of the impact of disabling null session
We also run multiple application, including exchange, Intranet, and lots of other, and didnt run in any problem. If you application are home made, you should know if they are using null authentification. I doubt it will affect how your application are working with a value of 1...
0
destiny777Author Commented:
It's rather a business network. The replication services between DCs will be afected? What applications are using null session?
For DCS, you should put a value of 1 and the replication will not be affected.. I know of no application that uses null sessions btw.. I've never heard of anyone having problem with the disabling of null session capabilities on their network..
0
destiny777Author Commented:
One question, what is "known" bennefit or use of anonymous logon, what services or application can't live witout it?
0
Question has a verified solution.
Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.