| VID |
28006 |
| Severity |
20 |
| Port |
137,138,139 |
| Protocol |
TCP |
| Class |
SMB |
| Detailed Description |
The remote windows system is connected using a null session to IPC$. IPC$ is a share created on each Windows NT computer through which interprocess communication can take place. A null session (as opposed to a validated session) is used because browsing can occur without a valid trust relationship. The null session is analogous to an anonymous login, permitting the computer to obtain a browse list as the following without regard to resource permissions:
- User names
- Groups
- Trusted domains and workstations
- All Shares (including the hidden ones)
The null session can be restricted to authenticated users by setting the RestrictAnonymous registry key.
- User names
- Groups
- Trusted domains and workstations
- All Shares (including the hidden ones)
The null session can be restricted to authenticated users by setting the RestrictAnonymous registry key.
* Platforms Affected:
Microsoft Windows NT, 2000, XP
* References:
http://www.pcmag.com/article2/0,4149,671696,00.asp
http://www.brown.edu/Facilities/CIS/CIRT/help/netbiosnull.html
http://www.iss.net/security_center/static/679.php |
| Recommendation |
To prevent the listing of the shares for being obtained via a null session, you should either have tight login restrictions, so that only trusted users can access your host, and/or you should filter incoming traffic to some ports (137/tcp|udp, 138/udp, 139/tcp).
To restrict anonymous connections in Windows, follow these steps:
For Windows NT:
1. Open Registry Editor. From the Windows NT Start menu, select Run, type regedt32.
2. Go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA.
3. Double Click "RestrictAnonymous" Key and In the Data field, type 1.
4. Close Registry Editor, and Reboot the system to apply the changes.
For Windows 2000:
1. Open Registry Editor. From the Windows 2000 Start menu, select Run, type regedt32.
2. Go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA.
3. Double Click "RestrictAnonymous" Key and In the Data field, type 2.
4. Close Registry Editor, and Reboot the system to apply the changes.
For Windows XP, 7, 8, 10 :
1. Go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa by using regedit or other registry editing program.
2. Set RestrictAnonymous to 1 to limit access to share information
3. Set RestrictAnonymousSAM to 1 to prevent enumeration of SAM(Security Accounts Manager)
4. set EveryoneIncludesAnonymous to 0, which will keep null-session users from having any rights.
-- AND --
1. Go to Administrative Tools -> Local Security Settings -> Local Policies -> Security Options.
2. Make sure the following two policies are enabled:
- Network Access: Do not allow anonymous enumeration of SAM accounts a Enabled
- Network Access: Do not allow anonymous enumeration of SAM accounts and shares a Enabled
3. Enable two policies if it's not enabled.
* Note : This setting still allows the establishment of a null session, but nothing will leak for enumeration of accounts and shares. |
| Related URL |
(CVE) |
| Related URL |
(SecurityFocus) |
| Related URL |
(ISS) |
|
