agcsupport
asked on
PCI scan - CIFS NULL Session Permitted
Hello - I am currently going through a PCI audit and they found the below vulnerability.
3.1.5. CIFS NULL Session Permitted
The policy "Network access: Named pipes that can be accessed anonymously" has netlogon,samr,lsarpc in the list. I believe this is where the vulnerability came from. I understand they are ldap services but do I need to allow them via anonymous access? is there a more secure method for these services to use?
3.1.5. CIFS NULL Session Permitted
The policy "Network access: Named pipes that can be accessed anonymously" has netlogon,samr,lsarpc in the list. I believe this is where the vulnerability came from. I understand they are ldap services but do I need to allow them via anonymous access? is there a more secure method for these services to use?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Those are default named pipes e.g. default list on Windows Server 2003, R2: COMNAP, COMNODE, SQL\QUERY, SPOOLSS, netlogon, lsarpc, samr, browser. There is really no need for these to have anonymous login. User account should authenticated for accountability and audit trail..
ASKER
So is it your opinion I can remove these entries without issue?
Netlogon - Net Logon service
Lsarpc - LSA access
Samr - SAM access
Netlogon - Net Logon service
Lsarpc - LSA access
Samr - SAM access
Yes. As MS stated
In operating systems earlier than Windows Server 2003 with Service Pack 1 (SP1), these named pipes were allowed anonymous access by default. In later operating systems, these pipes must be explicitly added if needed.
ASKER
I looked at both of my server 2012 DC's and they have the three named pipes enabled. I also looked on another 2012 server where the policy was set to restrict and there were no services listed. Seems that the domain controllers have them enabled by default which leads me to think they are needed. I suppose I can remove them and see what breaks but not a fan of doing that.
So is it your opinion I can remove these entries without issue?
Id suggest caution here...
Given you understand what dependencies exist in your network which may rely on this functionality, you are best suited to answer this. I dont think anyone here, with zero knowledge of what is going on at your company can say you can do this without issue.
That said, the spirit of btan's reply rings true
ASKER
Completely understand nobody here knows my environment and its dependencies. Lets say I set up a 2012 domain test environment. Two DCs and one Win10 workstation with all default settings including the named pipes exceptions. Do I need these services for this environment to work correctly.
You shouldnt with modern versions of the operating system and server roles. As btan pointed out, this is legacy stuff
ASKER
Thank you everyone for your help - much appreciated.
ASKER
"Network access: Restrict Anonymous access to Named Pipes and Shares"