| VID |
28013 |
| Severity |
20 |
| Port |
137,138,139 |
| Protocol |
TCP |
| Class |
SMB |
| Detailed Description |
The remote windows system is connected using a null session to IPC$ and all shares of the windows system is listed. A null session (as opposed to a validated session) is used because browsing can occur without a valid trust relationship. The null session is analogous to an anonymous login, permitting the computer to obtain a browse list as the following without regard to resource permissions:
- User names
- Groups
- Trusted domains and workstations
- All Shares (including the hidden ones)
The null session can be restricted to authenticated users by setting the RestrictAnonymous registry key.
* Platforms Affected:
Microsoft Windows NT, 2000, XP, 2003
* References:
http://www.iss.net/security_center/static/171.php
http://support.microsoft.com/support/kb/articles/q246/2/61.asp |
| Recommendation |
To prevent the listing of the shares for being obtained via a null session, you should either have tight login restrictions, so that only trusted users can access your host, and/or you should filter incoming traffic to some ports (137/tcp|udp, 138/udp, 139/tcp).
To restrict anonymous connections in Windows NT, follow these steps:
* Windows NT:
1. Open Registry Editor. From the Windows NT Start menu, select Run, type regedt32.
2. Go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA.
3. Double Click ""RestrictAnonymous"" Key and In the Data field, type 1.
4. Double Click ""LMCompatibilityLevel"" Key and In the Data field, type 0.
5. Close Registry Editor, and Reboot the system to apply the changes.
* Windows 2000, XP, 2003:
1. Open Registry Editor. From the Windows Start menu, select Run, type regedt32.
2. Go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA.
3. Double Click ""RestrictAnonymous"" Key and In the Data field, type 2.
4. Close Registry Editor, and Reboot the system to apply the changes. |
| Related URL |
(CVE) |
| Related URL |
(SecurityFocus) |
| Related URL |
(ISS) |
|
