--Null sessions require access to TCP 139 and/ or TCP 445 ports.
--You could also disable SMB services entirely on individual hosts by unbinding WINS Client TCP/IP from the interface.
--Edit the registry to restrict the anonymous user.
-----Open regedt32, navigate to HKLM\SYSTEM\CurrentControlSet\LSA
-----Choose edit | add value
value name: ResticAnonymous
Data Type: REG WORD
Value: 2
"HKLM" refers to the hive "HKEY_LOCAL_MACHINE". If this is set to "1" anonymous connections are restricted. However, an anonymous user can still connect to the IPC$ share, though he is restricted as to which information is obtainable through that connection. A value of "1" restricts anonymous users from enumerating SAM accounts and shares. A Value of "2", added in Windows 2000, restricts all anonymous access unless clearly granted. Therefore, the first registry key to check would be:
HKLM\System\CurrentControlSet\Control\Lsa\RestrictAnonymous
The other keys to inspect are:
HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters \NullSessionShares
and HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\NullSessionPipes
These are MULTI_SZ (multi-line string) registry parameters that list the shares and pipes, respectively, that are open to null sessions. These keys should be verified so that no unwarranted shares or pipes are open. Moreover, those open should be secured such that only 'SYSTEM' or "Administrators' have access to modifying these keys.
In Windows 2000, the domain security policy lays down the protection measures for the domain controller. On systems that are not domain controllers, the 'Local Security Policy' must be configured to restrict anonymous connections. The value "No access without explicit anonymous permission" is the most secure and the equivalent of 2 in the registry value of the key HKLM\System\CurrentControlSet\Control\Lsa\RestrictAnonymous discussed above.
Another step that is advisable is to disallow remote access completely except for specific accounts and groups. It would be prudent to block NetBIOS ports on the firewall or border router to increase network security. Blocking the following ports will prevent against Null Sessions (as well as other attacks that use NetBIOS)
135 TCP DCE/RPC Portmapper
137 TCP/UDP NetBIOS Name Service
138 TCP/UDP NetBIOS Datagram Service
139 TCP NetBIOS Session Service
445 TCP Microsoft-DS (Windows 2000 CIFS/SMB)
A best practice that comes in handy is to stop all services that are not otherwise required for the functioning of the system.
0 comments:
Post a Comment