Solved

Null Session/Anonymous Logons

Posted on 2004-09-24
14
341 Views
Last Modified: 2013-12-23
I ran a network security vulnerability scan against a Windows 2000 DC. One of the vulnerabilities obtained was the "null session", but the most worrisome thing was that it listed all accounts name with same password as the logon name, and reverse logon name. As I know the passwords on w2000 server are encrypted and the question is how could is possible to find out the above mentioned passwords and it means that the passwords for the other accounts are vulnerable in spite of encryption. And another question, what kind of services or applications would be affected if I close the null session? I know it must be tested but kind of experience in dealing with this issue would be very helpful.

Thank you
0
Comment
Question by:destiny777
  • 8
  • 4
14 Comments
 
LVL 15

Expert Comment

by:Yan_west
ID: 12145778
Using Dictionnary attack / Brute force, I can find 80% of the passwords in a 120 users domain btw in about 1 hours.. the only protection against that would be to enable the "force strong password" policy..
0
 
LVL 15

Expert Comment

by:Yan_west
ID: 12145784
Is your 2000 DC fully patched up to SP4?
0
 

Author Comment

by:destiny777
ID: 12146229
yes it is, and I run the scan as regular user
0
 
LVL 15

Expert Comment

by:Yan_west
ID: 12146269
Use Registry Editor to find the following registry key, and then add
        (or modify) the following value

      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA

      Value: RestrictAnonymous
      Value Type: REG_DWORD
      Value Data: 0x2 (Hex)

       RestrictAnonymous is set by changing the registry key to 0 or 1 for
       Windows NT 4.0 or to 0, 1, or 2 for Windows 2000. These numbers
       correspond to the following settings:

      0 None. Rely on default permissions (ie. allow Null Session
      1 Do not allow enumeration of SAM accounts and names
      2 No access without explicit anonymous permissions

Here, my setup is at 1, because of some application, and it'S better then 0..
0
 
LVL 15

Expert Comment

by:Yan_west
ID: 12146282
The problem with putting 2 btw was with our exchange server, apart from that, everything was running fine with it.. there is no danger putting it to 2.. after, you can always get it back to 1 if something stops working.
0
 
LVL 15

Expert Comment

by:Yan_west
ID: 12146293
Interesting read about this vulnerability and windows system:

http://ist.uwaterloo.ca/security/vulnerable/20030807.note
0
VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

 
LVL 15

Expert Comment

by:Yan_west
ID: 12146313
"BEWARE -- We understand that Windows 2000 Domain Controllers should set the
   value to 1 (not 2) if they manage a mixed environment -- eg. if they have
   any trust relationships with NT4 Domains"
0
 

Author Comment

by:destiny777
ID: 12147091
I went through Microsoft KB articles 143474 and 246261 which tell how to change the settings for null session, this is no my concern, but because my network runs multtiple applications I am concerned of the impact of disabling null session
0
 
LVL 15

Expert Comment

by:Yan_west
ID: 12147128
We also run multiple application, including exchange, Intranet, and lots of other, and didnt run in any problem. If you application are home made, you should know if they are using null authentification. I doubt it will affect how your application are working with a value of 1...
0
 

Author Comment

by:destiny777
ID: 12159958
It's rather a business network. The replication services between DCs will be afected? What applications are using null session?
0
 
LVL 15

Accepted Solution

by:
Yan_west earned 500 total points
ID: 12159975
For DCS, you should put a value of 1 and the replication will not be affected.. I know of no application that uses null sessions btw.. I've never heard of anyone having problem with the disabling of null session capabilities on their network..
0
 

Author Comment

by:destiny777
ID: 12278480
One question, what is "known" bennefit or use of anonymous logon, what services or application can't live witout it?
0

Featured Post

Network it in WD Red

There's an industry-leading WD Red drive for every compatible NAS system to help fulfill your data storage needs. With drives up to 8TB, WD Red offers a wide array of solutions for customers looking to build the biggest, best-performing NAS storage solution.  

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
Resolve DNS query failed errors for Exchange
This tutorial gives a high-level tour of the interface of Marketo (a marketing automation tool to help businesses track and engage prospective customers and drive them to purchase). You will see the main areas including Marketing Activities, Design …
Hi friends,  in this video  I'll show you how new windows 10 user can learn the using of windows 10. Thank you.

910 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

25 Experts available now in Live!

Get 1:1 Help Now