Solved

Null Session/Anonymous Logons

Posted on 2004-09-24
14
340 Views
Last Modified: 2013-12-23
I ran a network security vulnerability scan against a Windows 2000 DC. One of the vulnerabilities obtained was the "null session", but the most worrisome thing was that it listed all accounts name with same password as the logon name, and reverse logon name. As I know the passwords on w2000 server are encrypted and the question is how could is possible to find out the above mentioned passwords and it means that the passwords for the other accounts are vulnerable in spite of encryption. And another question, what kind of services or applications would be affected if I close the null session? I know it must be tested but kind of experience in dealing with this issue would be very helpful.

Thank you
0
Comment
Question by:destiny777
  • 8
  • 4
14 Comments
 
LVL 15

Expert Comment

by:Yan_west
ID: 12145778
Using Dictionnary attack / Brute force, I can find 80% of the passwords in a 120 users domain btw in about 1 hours.. the only protection against that would be to enable the "force strong password" policy..
0
 
LVL 15

Expert Comment

by:Yan_west
ID: 12145784
Is your 2000 DC fully patched up to SP4?
0
 

Author Comment

by:destiny777
ID: 12146229
yes it is, and I run the scan as regular user
0
 
LVL 15

Expert Comment

by:Yan_west
ID: 12146269
Use Registry Editor to find the following registry key, and then add
        (or modify) the following value

      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA

      Value: RestrictAnonymous
      Value Type: REG_DWORD
      Value Data: 0x2 (Hex)

       RestrictAnonymous is set by changing the registry key to 0 or 1 for
       Windows NT 4.0 or to 0, 1, or 2 for Windows 2000. These numbers
       correspond to the following settings:

      0 None. Rely on default permissions (ie. allow Null Session
      1 Do not allow enumeration of SAM accounts and names
      2 No access without explicit anonymous permissions

Here, my setup is at 1, because of some application, and it'S better then 0..
0
 
LVL 15

Expert Comment

by:Yan_west
ID: 12146282
The problem with putting 2 btw was with our exchange server, apart from that, everything was running fine with it.. there is no danger putting it to 2.. after, you can always get it back to 1 if something stops working.
0
 
LVL 15

Expert Comment

by:Yan_west
ID: 12146293
Interesting read about this vulnerability and windows system:

http://ist.uwaterloo.ca/security/vulnerable/20030807.note
0
What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 15

Expert Comment

by:Yan_west
ID: 12146313
"BEWARE -- We understand that Windows 2000 Domain Controllers should set the
   value to 1 (not 2) if they manage a mixed environment -- eg. if they have
   any trust relationships with NT4 Domains"
0
 

Author Comment

by:destiny777
ID: 12147091
I went through Microsoft KB articles 143474 and 246261 which tell how to change the settings for null session, this is no my concern, but because my network runs multtiple applications I am concerned of the impact of disabling null session
0
 
LVL 15

Expert Comment

by:Yan_west
ID: 12147128
We also run multiple application, including exchange, Intranet, and lots of other, and didnt run in any problem. If you application are home made, you should know if they are using null authentification. I doubt it will affect how your application are working with a value of 1...
0
 

Author Comment

by:destiny777
ID: 12159958
It's rather a business network. The replication services between DCs will be afected? What applications are using null session?
0
 
LVL 15

Accepted Solution

by:
Yan_west earned 500 total points
ID: 12159975
For DCS, you should put a value of 1 and the replication will not be affected.. I know of no application that uses null sessions btw.. I've never heard of anyone having problem with the disabling of null session capabilities on their network..
0
 

Author Comment

by:destiny777
ID: 12278480
One question, what is "known" bennefit or use of anonymous logon, what services or application can't live witout it?
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Greetings, Experts! First let me state that this website is top notch. I thoroughly enjoy the community that is shared here; those seeking help and those willing to sacrifice their time to help. It is fantastic. I am writing this article at th…
Are you one of those front-line IT Service Desk staff fielding calls, replying to emails, all-the-while working to resolve end-user technological nightmares? I am! That's why I have put together this brief overview of tools and techniques I use in o…
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now