PREVENTING HACKS THROUGH NULL SESSIONS

All variations of the Windows NT kernel have a major security flaw: They allow a peculiar form of access called a null or anonymous session, which can yield dangerous information about a machine and its SAM (Security Accounts Manager) accounts. SAM is a local security database that stores information about all of a machine's user and group accounts. Discovering a SAM account with administrative privileges would be a hacker's first objective—but getting the name of any account is a big step. With a user name, a hacker has a hope of eventually breaking into the user's account, then jacking up account privileges to the admin level.

There is a reason Windows allows anonymous access. In a trusted environment, this lets Windows NT, 2000, and XP machines see one another's shared folders and attached peripherals via the InterProcess communication share (IPC$). Allowing IPC$ is a must for some simple peer networks.

But IPC$ also allows entry to client machines. A hacker who types

net use \\yourcomputer\ipc$ "" /user:""
at a command line (where yourcomputer is either your internal IP address or your NetBIOS machine name) is assigned a blank name and password and connected to your PC. Establishing a null session like this does not allow control of your machine, but it does reveal all the user names on your system, the groups your system belongs to, the rights it has, and any shares available.

By setting or modifying a value in the Registry, you can restrict anonymous access. For Windows NT or 2000, go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa. Look in the right-hand pane for the DWORD value RestrictAnonymous. If you don't find it, right-click in the right-hand pane, choose Edit | New | DWORD Value, and name the value RestrictAnonymous.

In Windows NT with Service Pack 3 or in Windows 2000, the data for this value can be 0, 1, or 2 (we'll get to Windows XP in a moment). If it's 2, you're all set. No information can leak via a null session, because there is no way to establish one. If the value is 1 (all that was allowed before Windows NT with SP3), some tools can still enumerate information. If it is 0, your machine is wide open. Double-click on the value and set its data to 1 or 2, then restart the system.

Although 2 is preferable, it may cause connectivity and sharing problems when used outside of an environment running only Windows 2000. For example, down-level clients won't be able to establish access to the domain the Windows 2000 machine is hosting; that effectively closes those clients off from the network's resources.

Windows XP solves the problems that a setting of 2 can introduce by adding more flexibility to null-session restrictions. In addition to RestrictAnonymous, Windows XP has two other DWORD values you can modify—RestrictAnonymousSAM and EveryoneIncludesAnonymous. Set RestrictAnonymous to 1 to limit access to share information, and set RestrictAnonymousSAM to 1 to prevent enumeration of SAM accounts. Finally, assign EveryoneIncludesAnonymous a value of 0, which will keep null-session users from having any rights. This still allows the establishment of a null session, so basic network resources such as files and printers remain available to all trusted users, but nothing will leak.
APPLY SAFETY,PREVENT HACKING! :-)

No comments: