Null Sessions
Created 10/18/02
CVE 2000-1200
Impact
A remote attacker could gain a list of shared resources or
user names on the system.
Background
Windows operating systems include a feature known as
null sessions. A null session is a way of connecting
to a remote Windows workstation or server without any
user authentication. A null session grants limited privileges
which allow other Windows systems to retrieve certain information
which is required for Microsoft networking, but isn't intended
to allow any type of access which could be exploited by an
attacker.
The Problem
An attacker could establish a null session with the system
and use it to gain information about the system, such as
the names of shared folders and a list of user account names.
Resolution
Mitigating this vulnerability will require editing the
registry. The regedt32 command can be used
for this purpose. Keep in mind that erroneous changes to
the registry could leave the system in an unstable and
unbootable state, so use due caution and have a working
system backup and repair disk before editing the registry.
The privileges of null sessions can be limited by changing
the following registry value:
Hive: HKEY_LOCAL_MACHINE
Key: SYSTEM/CurrentControlSet/Control/LSA
Value: RestrictAnonymous
Type: REG_DWORD
Setting this value to 1 will partially
limit the amount of information which is available through
a null session, but will still allow access to some sensitive
information, including the user account list.
On Windows 2000 and XP, this value can also
be set to 2 for greater protection. However,
a value of 2 could also disable some critical
Windows networking functions, so this setting is recommended
only for Internet servers, and should be thoroughly tested.
In addition to the above changes, it is also advisable
to block access to the Netbios ports at the firewall or
gateway router. There is usually no reason why a
user outside the local network would have a legitimate
need for Netbios access. Netbios runs on ports
135, 137, 138, and 139 (TCP and UDP).
Where can I read more about this?
For more information about using the RestrictAnonymous
registry value to limit the privileges of null sessions, see
Microsoft Knowledge Base articles
Q143474 and
Q246261.
For more information about null sessions, see
SecurityFocus.