Tutorial - Null Sessions

Null Sessions

Created 10/18/02
CVE 2000-1200

Impact

A remote attacker could gain a list of shared resources or user names on the system.

Background

Windows operating systems include a feature known as null sessions. A null session is a way of connecting to a remote Windows workstation or server without any user authentication. A null session grants limited privileges which allow other Windows systems to retrieve certain information which is required for Microsoft networking, but isn't intended to allow any type of access which could be exploited by an attacker.

The Problem

An attacker could establish a null session with the system and use it to gain information about the system, such as the names of shared folders and a list of user account names.

Resolution

Mitigating this vulnerability will require editing the registry. The regedt32 command can be used for this purpose. Keep in mind that erroneous changes to the registry could leave the system in an unstable and unbootable state, so use due caution and have a working system backup and repair disk before editing the registry.

The privileges of null sessions can be limited by changing the following registry value:

Hive: HKEY_LOCAL_MACHINE
Key: SYSTEM/CurrentControlSet/Control/LSA
Value: RestrictAnonymous
Type: REG_DWORD

Setting this value to 1 will partially limit the amount of information which is available through a null session, but will still allow access to some sensitive information, including the user account list. On Windows 2000 and XP, this value can also be set to 2 for greater protection. However, a value of 2 could also disable some critical Windows networking functions, so this setting is recommended only for Internet servers, and should be thoroughly tested.

In addition to the above changes, it is also advisable to block access to the Netbios ports at the firewall or gateway router. There is usually no reason why a user outside the local network would have a legitimate need for Netbios access. Netbios runs on ports 135, 137, 138, and 139 (TCP and UDP).

Where can I read more about this?

For more information about using the RestrictAnonymous registry value to limit the privileges of null sessions, see Microsoft Knowledge Base articles Q143474 and Q246261.

For more information about null sessions, see SecurityFocus.