| VID |
28005 |
| Severity |
20 |
| Port |
137,138,139 |
| Protocol |
TCP |
| Class |
SMB |
| Detailed Description |
The remote windows system is connected using a null session to IPC$ and all host names of the windows system is listed. This is potentially dangerous as this may help the attack of a potential hacker.A null session (as opposed to a validated session) is used because browsing can occur without a valid trust relationship. The null session is analogous to an anonymous login, permitting the computer to obtain a browse list as the following without regard to resource permissions:
- User names
- Groups
- Trusted domains and workstations
- All Shares (including the hidden ones)
The null session can be restricted to authenticated users by setting the RestrictAnonymous registry key.
* Platforms Affected:
Microsoft Windows NT, 2000
* References:
http://cgi.nessus.org/plugins/dump.php3?id=10396 |
| Recommendation |
To prevent the listing of the shares for being obtained via a null session, you should either have tight login restrictions, so that only trusted users can access your host, and/or you should filter incoming traffic to some ports (137/tcp|udp, 138/udp, 139/tcp).
To restrict anonymous connections in Windows, follow these steps:
For Windows NT:
1. Open Registry Editor. From the Windows NT Start menu, select Run, type regedt32.
2. Go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA.
3. Double Click "RestrictAnonymous" Key and In the Data field, type 1.
4. Double Click "LMCompatibilityLevel" Key and In the Data field, type 0.
5. Close Registry Editor, and Reboot the system to apply the changes.
For Windows 2000:
1. Open Registry Editor. From the Windows 2000 Start menu, select Run, type regedt32.
2. Go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA.
3. Double Click "RestrictAnonymous" Key and In the Data field, type 2.
4. Double Click "LMCompatibilityLevel" Key and In the Data field, type 0.
5. Close Registry Editor, and Reboot the system to apply the changes. |
| Related URL |
(CVE) |
| Related URL |
(SecurityFocus) |
| Related URL |
(ISS) |
|
