Solved

Null Session/Anonymous Logons

Posted on 2004-09-24
14
344 Views
Last Modified: 2013-12-23
I ran a network security vulnerability scan against a Windows 2000 DC. One of the vulnerabilities obtained was the "null session", but the most worrisome thing was that it listed all accounts name with same password as the logon name, and reverse logon name. As I know the passwords on w2000 server are encrypted and the question is how could is possible to find out the above mentioned passwords and it means that the passwords for the other accounts are vulnerable in spite of encryption. And another question, what kind of services or applications would be affected if I close the null session? I know it must be tested but kind of experience in dealing with this issue would be very helpful.

Thank you
0
Comment
Question by:destiny777
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 8
  • 4
14 Comments
 
LVL 15

Expert Comment

by:Yan_west
ID: 12145778
Using Dictionnary attack / Brute force, I can find 80% of the passwords in a 120 users domain btw in about 1 hours.. the only protection against that would be to enable the "force strong password" policy..
0
 
LVL 15

Expert Comment

by:Yan_west
ID: 12145784
Is your 2000 DC fully patched up to SP4?
0
 

Author Comment

by:destiny777
ID: 12146229
yes it is, and I run the scan as regular user
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 15

Expert Comment

by:Yan_west
ID: 12146269
Use Registry Editor to find the following registry key, and then add
        (or modify) the following value

      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA

      Value: RestrictAnonymous
      Value Type: REG_DWORD
      Value Data: 0x2 (Hex)

       RestrictAnonymous is set by changing the registry key to 0 or 1 for
       Windows NT 4.0 or to 0, 1, or 2 for Windows 2000. These numbers
       correspond to the following settings:

      0 None. Rely on default permissions (ie. allow Null Session
      1 Do not allow enumeration of SAM accounts and names
      2 No access without explicit anonymous permissions

Here, my setup is at 1, because of some application, and it'S better then 0..
0
 
LVL 15

Expert Comment

by:Yan_west
ID: 12146282
The problem with putting 2 btw was with our exchange server, apart from that, everything was running fine with it.. there is no danger putting it to 2.. after, you can always get it back to 1 if something stops working.
0
 
LVL 15

Expert Comment

by:Yan_west
ID: 12146293
Interesting read about this vulnerability and windows system:

http://ist.uwaterloo.ca/security/vulnerable/20030807.note
0
 
LVL 15

Expert Comment

by:Yan_west
ID: 12146313
"BEWARE -- We understand that Windows 2000 Domain Controllers should set the
   value to 1 (not 2) if they manage a mixed environment -- eg. if they have
   any trust relationships with NT4 Domains"
0
 

Author Comment

by:destiny777
ID: 12147091
I went through Microsoft KB articles 143474 and 246261 which tell how to change the settings for null session, this is no my concern, but because my network runs multtiple applications I am concerned of the impact of disabling null session
0
 
LVL 15

Expert Comment

by:Yan_west
ID: 12147128
We also run multiple application, including exchange, Intranet, and lots of other, and didnt run in any problem. If you application are home made, you should know if they are using null authentification. I doubt it will affect how your application are working with a value of 1...
0
 

Author Comment

by:destiny777
ID: 12159958
It's rather a business network. The replication services between DCs will be afected? What applications are using null session?
0
 
LVL 15

Accepted Solution

by:
Yan_west earned 500 total points
ID: 12159975
For DCS, you should put a value of 1 and the replication will not be affected.. I know of no application that uses null sessions btw.. I've never heard of anyone having problem with the disabling of null session capabilities on their network..
0
 

Author Comment

by:destiny777
ID: 12278480
One question, what is "known" bennefit or use of anonymous logon, what services or application can't live witout it?
0

Featured Post

Visualize your virtual and backup environments

Create well-organized and polished visualizations of your virtual and backup environments when planning VMware vSphere, Microsoft Hyper-V or Veeam deployments. It helps you to gain better visibility and valuable business insights.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

We recently endured a series of broadcast storms that caused our ISP to shut us down for brief periods of time. After going through a multitude of tests, we determined that the issue was related to Intel NIC drivers on some new HP desktop computers …
I'm a big fan of Windows' offline folder caching and have used it on my laptops for over a decade.  One thing I don't like about it, however, is how difficult Microsoft has made it for the cache to be moved out of the Windows folder.  Here's how to …
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question