I want to find out if there is a way to disable unauthenticated access to the IPC$ share in an effort to remediate the dreaded "Null Session" vulnerability. Steps I have all ready taken and the results: The test system was W2K3 The system I connected from was my desktop WinXP on the same domain Change HKLM\System\currentcontrolset\control\lsa\restrictanonymous = 1 (tried 1 and 2) RebootFrom my desktop -> net use \\<server-name>\IPC$ /u:”” “” Result = Successful Change HKLM\System\currentcontrolset\control\lsa\restrictanonymous = 1 (tried 1 and 2) Add new key HKLM\System\currentcontrolset\control\TurnOffAnonymousBlock = 0 Reboot From my desktop -> net use \\<server-name>\IPC$ /u:”” “” Result = Successful Change HKLM\System\currentcontrolset\control\lsa\restrictanonymous = 1 (tried 1 and 2) Add new key HKLM\System\currentcontrolset\control\TurnOffAnonymousBlock = 0 (tried with and without) HKLM\System\currentcontrolset\services\lanmanserver\parameters\NullSessionPipes = “COMNAP, COMNODE, SQL\QUERY, SPOOLSS, LLSRPC“ (took out browser) HKLM\System\currentcontrolset\services\lanmanserver\parameters\NullSessionShares = “COMCFG, DFS$ “ (tried with and without entries) Reboot From my desktop -> net use \\<server-name>\IPC$ /u:”” “” Result = Successful Change HKLM\System\currentcontrolset\control\lsa\restrictanonymous = 1 (tried 1 and 2) Add new key HKLM\System\currentcontrolset\control\TurnOffAnonymousBlock = 0 (tried with and without) HKLM\System\currentcontrolset\services\lanmanserver\parameters\NullSessionPipes = “COMNAP, COMNODE, SQL\QUERY, SPOOLSS, LLSRPC“ (took out browser) HKLM\System\currentcontrolset\services\lanmanserver\parameters\NullSessionShares = “COMCFG, DFS$ “ (tried with and without entries) Reboot From my desktop -> net use \\<server-name>\IPC$ /u:”” “” Result = Successful Change HKLM\System\currentcontrolset\control\lsa\restrictanonymous = 1 (tried 1 and 2) Add new key HKLM\System\currentcontrolset\control\TurnOffAnonymousBlock = 0 (tried with and without) HKLM\System\currentcontrolset\services\lanmanserver\parameters\NullSessionPipes = “ “ (took out all entries) HKLM\System\currentcontrolset\services\lanmanserver\parameters\NullSessionShares = “COMCFG, DFS$ “ (tried with and without entries) Reboot From my desktop -> net use \\<server-name>\IPC$ /u:”” “” Result = Successful Change HKLM\System\currentcontrolset\control\lsa\restrictanonymous = 1 (tried 1 and 2) Add new key HKLM\System\currentcontrolset\control\TurnOffAnonymousBlock = 0 (tried with and without) HKLM\System\currentcontrolset\services\lanmanserver\parameters\NullSessionPipes = “ “ (tried with and without entries) HKLM\System\currentcontrolset\services\lanmanserver\parameters\NullSessionShares = “COMCFG, DFS$ “ (tried with and without entries) Reboot From my desktop -> net use \\<server-name>\IPC$ /u:”” “” Result = Successful Add new key HKLM\System\currentcontrolset\services\lanmanserver\parameters\PipeFirewallActive = 1 Add new key HKLM\System\currentcontrolset\services\lanmanserver\parameters\AllowedPipes = “Netlogon, lsarpc, samr, srvsvc, wkssvc” (left out BROWSER) Change HKLM\System\currentcontrolset\control\lsa\restrictanonymous = 1 (tried 1 and 2) Add new key HKLM\System\currentcontrolset\control\TurnOffAnonymousBlock = 0 (tried with and without) HKLM\System\currentcontrolset\services\lanmanserver\parameters\NullSessionPipes = “COMNAP, COMNODE, SQL\QUERY, SPOOLSS, LLSRPC, BROWSER“ HKLM\System\currentcontrolset\services\lanmanserver\parameters\NullSessionShares = “COMCFG, DFS$ “ (tried with and without entries) Reboot From my desktop -> net use \\<server-name>\IPC$ /u:”” “” Result = Successful Add new key HKLM\System\currentcontrolset\services\lanmanserver\parameters\PipeFirewallActive = 1 Add new key HKLM\System\currentcontrolset\services\lanmanserver\parameters\AllowedPipes = “ ” (took out all entries) Change HKLM\System\currentcontrolset\control\lsa\restrictanonymous = 1 (tried 1 and 2) Add new key HKLM\System\currentcontrolset\control\TurnOffAnonymousBlock = 0 (tried with and without) HKLM\System\currentcontrolset\services\lanmanserver\parameters\NullSessionPipes = “ “(tried with and without entries) HKLM\System\currentcontrolset\services\lanmanserver\parameters\NullSessionShares = “COMCFG, DFS$ “ (tried with and without entries) Reboot From my desktop -> net use \\<server-name>\IPC$ /u:”” “” Result = Successful I had a thought that maybe these settings were getting changed back after reboots by the local security policy, so I ran through a number of these tests again, and added a step after reboots to check the local security policy to ensure they were not getting changed. After doing all of these tests, I tested again with the <server-name> server and I connected FROM a machine that is not on the domain, to make sure there was not a GPO, or some kind of domain trust playing into this. The results of these tests were the same. and just to clarify i had RestrictNullSessAccess = 1 and i tried this: found here - http://social.technet.microsoft.com/Forums/en-US/winservergen/thread/841523db-8c4b-43a0-9f28-be7270f92e2b There are 6 policies listed below that controls what information can be accessed anonymously. These policies are located in local group policy editor under Computer Configuration\Windows Settings\SecuritySettings\Local Policies\SecurityOptions. 1. Network access: Allow anonymous SID/Name translation 2. Network access: Do not allow anonymous enumeration of SAM accounts 3. Network access: Do not allow anonymous enumeration of SAM accounts and shares 4. Network access: Let Everyone permissions apply to anonymous users 5. Network access: Named Pipes that can be accessed anonymously 6. Network access: Shares that can be accessed anonymously In order to completely disable anonymous logons, you can disable policy 1 and 4, enable policy 2 and 3, and specifying empty lists for policy 5 and 6. I CANNOT GET THE SERVER TO STOP ALLOWING ANONYMOUS CONNECTIONS TO IPC$ OR TO -\\<server>\- Links to MS articles: RestrictAnonymous (server 2003)- http://technet.microsoft.com/en-us/library/cc783167(WS.10).aspx Named Pipes Firewall (server 2003) - http://support.microsoft.com/kb/925890 TurnOffAnonymousBlock - http://social.technet.microsoft.com/Forums/en-US/winserversecurity/thread/b37c3237-94e1-48a5-9f2d-7925106107b7 RestrictNullSessAccess - http://technet.microsoft.com/en-us/library/cc785969%28WS.10%29.aspx Is this a lost cause? What am I missing? IS there even a way to completely disable unauthenticated access to IPC$??? i already know about monitoring with IDS/IPS and I can block access with firewalls.... blah... blah... blah... BUT outside of that, is there a way, either through local security policy / registry / GPO / <insert compensating control here> - to restrict this? please advise....