Link to home
Start Free TrialLog in
Avatar of agcsupport
agcsupportFlag for United States of America

asked on

PCI scan - CIFS NULL Session Permitted

Hello - I am currently going through a PCI audit and they found the below vulnerability.

3.1.5. CIFS NULL Session Permitted

The policy "Network access: Named pipes that can be accessed anonymously" has netlogon,samr,lsarpc in the list. I believe this is where the vulnerability came from. I understand they are ldap services but do I need to allow them via anonymous access? is there a more secure method for these services to use?
ASKER CERTIFIED SOLUTION
Avatar of btan
btan
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of agcsupport
agcsupport
Flag of United States of America image

ASKER

@lvl60 - I previously found that article and applied the settings. The below setting allows you to add named pipes basically as an exception. This is where I have the netlogon,samr,lsarpc listed. I did not manually input them so I would have to say they are there by default. These are the services I am wanting to disable if possible. If they are required ldap pipes then I will report them as needed pipes to auditors.

"Network access: Restrict Anonymous access to Named Pipes and Shares"
Avatar of btan
btan
Those are default named pipes e.g. default list on Windows Server 2003, R2: COMNAP, COMNODE, SQL\QUERY, SPOOLSS, netlogon, lsarpc, samr, browser. There is really no need for these to have anonymous login. User account should authenticated for accountability and audit trail..
Avatar of agcsupport
agcsupport
Flag of United States of America image

ASKER

So is it your opinion I can remove these entries without issue?

Netlogon - Net Logon service
 Lsarpc - LSA access
 Samr - SAM access
Avatar of btan
btan
Yes. As MS stated
In operating systems earlier than Windows Server 2003 with Service Pack 1 (SP1), these named pipes were allowed anonymous access by default. In later operating systems, these pipes must be explicitly added if needed.
Avatar of agcsupport
agcsupport
Flag of United States of America image

ASKER

I looked at both of my server 2012 DC's and they have the three named pipes enabled. I also looked on another 2012 server where the policy was set to restrict and there were no services listed. Seems that the domain controllers have them enabled by default which leads me to think they are needed. I suppose I can remove them and see what breaks but not a fan of doing that.
Avatar of Ed OConnor
Ed OConnor
Flag of Ireland image
So is it your opinion I can remove these entries without issue?

Id suggest caution here...

Given you understand what dependencies exist in your network which may rely on  this functionality, you are best suited to answer this.  I dont think anyone here, with zero knowledge of what is going on at your company can say you can do this without issue.

That said, the spirit of btan's reply rings true
Avatar of agcsupport
agcsupport
Flag of United States of America image

ASKER

Completely understand nobody here knows my environment and its dependencies. Lets say I set up a 2012 domain test environment. Two DCs and one Win10 workstation with all default settings including the named pipes exceptions. Do I need these services for this environment to work correctly.
Avatar of Ed OConnor
Ed OConnor
Flag of Ireland image
You shouldnt with modern versions of the operating system and server roles.  As btan pointed out, this is legacy stuff
Avatar of agcsupport
agcsupport
Flag of United States of America image

ASKER

Thank you everyone for your help - much appreciated.