Solved

Null Session/Anonymous Logons

Posted on 2004-09-24
14
342 Views
Last Modified: 2013-12-23
I ran a network security vulnerability scan against a Windows 2000 DC. One of the vulnerabilities obtained was the "null session", but the most worrisome thing was that it listed all accounts name with same password as the logon name, and reverse logon name. As I know the passwords on w2000 server are encrypted and the question is how could is possible to find out the above mentioned passwords and it means that the passwords for the other accounts are vulnerable in spite of encryption. And another question, what kind of services or applications would be affected if I close the null session? I know it must be tested but kind of experience in dealing with this issue would be very helpful.

Thank you
0
Comment
Question by:destiny777
  • 8
  • 4
14 Comments
 
LVL 15

Expert Comment

by:Yan_west
ID: 12145778
Using Dictionnary attack / Brute force, I can find 80% of the passwords in a 120 users domain btw in about 1 hours.. the only protection against that would be to enable the "force strong password" policy..
0
 
LVL 15

Expert Comment

by:Yan_west
ID: 12145784
Is your 2000 DC fully patched up to SP4?
0
 

Author Comment

by:destiny777
ID: 12146229
yes it is, and I run the scan as regular user
0
Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

 
LVL 15

Expert Comment

by:Yan_west
ID: 12146269
Use Registry Editor to find the following registry key, and then add
        (or modify) the following value

      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA

      Value: RestrictAnonymous
      Value Type: REG_DWORD
      Value Data: 0x2 (Hex)

       RestrictAnonymous is set by changing the registry key to 0 or 1 for
       Windows NT 4.0 or to 0, 1, or 2 for Windows 2000. These numbers
       correspond to the following settings:

      0 None. Rely on default permissions (ie. allow Null Session
      1 Do not allow enumeration of SAM accounts and names
      2 No access without explicit anonymous permissions

Here, my setup is at 1, because of some application, and it'S better then 0..
0
 
LVL 15

Expert Comment

by:Yan_west
ID: 12146282
The problem with putting 2 btw was with our exchange server, apart from that, everything was running fine with it.. there is no danger putting it to 2.. after, you can always get it back to 1 if something stops working.
0
 
LVL 15

Expert Comment

by:Yan_west
ID: 12146293
Interesting read about this vulnerability and windows system:

http://ist.uwaterloo.ca/security/vulnerable/20030807.note
0
 
LVL 15

Expert Comment

by:Yan_west
ID: 12146313
"BEWARE -- We understand that Windows 2000 Domain Controllers should set the
   value to 1 (not 2) if they manage a mixed environment -- eg. if they have
   any trust relationships with NT4 Domains"
0
 

Author Comment

by:destiny777
ID: 12147091
I went through Microsoft KB articles 143474 and 246261 which tell how to change the settings for null session, this is no my concern, but because my network runs multtiple applications I am concerned of the impact of disabling null session
0
 
LVL 15

Expert Comment

by:Yan_west
ID: 12147128
We also run multiple application, including exchange, Intranet, and lots of other, and didnt run in any problem. If you application are home made, you should know if they are using null authentification. I doubt it will affect how your application are working with a value of 1...
0
 

Author Comment

by:destiny777
ID: 12159958
It's rather a business network. The replication services between DCs will be afected? What applications are using null session?
0
 
LVL 15

Accepted Solution

by:
Yan_west earned 500 total points
ID: 12159975
For DCS, you should put a value of 1 and the replication will not be affected.. I know of no application that uses null sessions btw.. I've never heard of anyone having problem with the disabling of null session capabilities on their network..
0
 

Author Comment

by:destiny777
ID: 12278480
One question, what is "known" bennefit or use of anonymous logon, what services or application can't live witout it?
0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Downtime reduced, data recovered by utilizing an Experts Exchange Business Account Challenge The United States Marine Corps employs more than 200,000 active-duty Marines with operations in four continents, all requiring complex networking system…
This article is in response to a question (http://www.experts-exchange.com/Networking/Network_Management/Network_Analysis/Q_28230497.html) here at Experts Exchange. The Original Poster (OP) requires a utility that will accept a list of IP addresses …
Although Jacob Bernoulli (1654-1705) has been credited as the creator of "Binomial Distribution Table", Gottfried Leibniz (1646-1716) did his dissertation on the subject in 1666; Leibniz you may recall is the co-inventor of "Calculus" and beat Isaac…

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question