How can I disable unauthenticated connections to IPC$?
I want to find out if there is a way to disable unauthenticated access to the IPC$ share in an effort to remediate the
dreaded "Null Session" vulnerability. Steps I have all ready taken and the results:
The test system was W2K3
The system I connected from was my desktop WinXP on the same domain
Change HKLM\System\currentcontrolset\control\lsa\restrictanonymous = 1 (tried 1 and 2)
RebootFrom my desktop -> net use \\<server-name>\IPC$ /u:”” “”
Result = Successful
Change HKLM\System\currentcontrolset\control\lsa\restrictanonymous = 1 (tried 1 and 2)
Add new key HKLM\System\currentcontrolset\control\TurnOffAnonymousBlock = 0
Reboot
From my desktop -> net use \\<server-name>\IPC$ /u:”” “”
Result = Successful
Change HKLM\System\currentcontrolset\control\lsa\restrictanonymous = 1 (tried 1 and 2)
Add new key HKLM\System\currentcontrolset\control\TurnOffAnonymousBlock = 0
(tried with and without)
HKLM\System\currentcontrolset\services\lanmanserver\parameters\NullSessionPipes = “COMNAP, COMNODE, SQL\QUERY, SPOOLSS, LLSRPC“
(took out browser)
HKLM\System\currentcontrolset\services\lanmanserver\parameters\NullSessionShares = “COMCFG, DFS$ “ (tried with and without entries)
Reboot
From my desktop -> net use \\<server-name>\IPC$ /u:”” “”
Result = Successful
Change HKLM\System\currentcontrolset\control\lsa\restrictanonymous = 1 (tried 1 and 2)
Add new key HKLM\System\currentcontrolset\control\TurnOffAnonymousBlock = 0
(tried with and without)
HKLM\System\currentcontrolset\services\lanmanserver\parameters\NullSessionPipes = “COMNAP, COMNODE, SQL\QUERY, SPOOLSS, LLSRPC“
(took out browser)
HKLM\System\currentcontrolset\services\lanmanserver\parameters\NullSessionShares = “COMCFG, DFS$ “ (tried with and without entries)
Reboot
From my desktop -> net use \\<server-name>\IPC$ /u:”” “”
Result = Successful
Change HKLM\System\currentcontrolset\control\lsa\restrictanonymous = 1 (tried 1 and 2)
Add new key HKLM\System\currentcontrolset\control\TurnOffAnonymousBlock = 0
(tried with and without)
HKLM\System\currentcontrolset\services\lanmanserver\parameters\NullSessionPipes = “ “
(took out all entries)
HKLM\System\currentcontrolset\services\lanmanserver\parameters\NullSessionShares = “COMCFG, DFS$ “ (tried with and without entries)
Reboot
From my desktop -> net use \\<server-name>\IPC$ /u:”” “”
Result = Successful
Change HKLM\System\currentcontrolset\control\lsa\restrictanonymous = 1 (tried 1 and 2)
Add new key HKLM\System\currentcontrolset\control\TurnOffAnonymousBlock = 0
(tried with and without)
HKLM\System\currentcontrolset\services\lanmanserver\parameters\NullSessionPipes = “ “
(tried with and without entries)
HKLM\System\currentcontrolset\services\lanmanserver\parameters\NullSessionShares = “COMCFG, DFS$ “ (tried with and without entries)
Reboot
From my desktop -> net use \\<server-name>\IPC$ /u:”” “”
Result = Successful
Add new key HKLM\System\currentcontrolset\services\lanmanserver\parameters\PipeFirewallActive = 1
Add new key HKLM\System\currentcontrolset\services\lanmanserver\parameters\AllowedPipes = “Netlogon, lsarpc, samr, srvsvc, wkssvc” (left out BROWSER)
Change HKLM\System\currentcontrolset\control\lsa\restrictanonymous = 1 (tried 1 and 2)
Add new key HKLM\System\currentcontrolset\control\TurnOffAnonymousBlock = 0
(tried with and without)
HKLM\System\currentcontrolset\services\lanmanserver\parameters\NullSessionPipes = “COMNAP, COMNODE, SQL\QUERY, SPOOLSS, LLSRPC, BROWSER“
HKLM\System\currentcontrolset\services\lanmanserver\parameters\NullSessionShares = “COMCFG, DFS$ “ (tried with and without entries)
Reboot
From my desktop -> net use \\<server-name>\IPC$ /u:”” “”
Result = Successful
Add new key HKLM\System\currentcontrolset\services\lanmanserver\parameters\PipeFirewallActive = 1
Add new key HKLM\System\currentcontrolset\services\lanmanserver\parameters\AllowedPipes = “ ” (took out all entries)
Change HKLM\System\currentcontrolset\control\lsa\restrictanonymous = 1 (tried 1 and 2)
Add new key HKLM\System\currentcontrolset\control\TurnOffAnonymousBlock = 0
(tried with and without)
HKLM\System\currentcontrolset\services\lanmanserver\parameters\NullSessionPipes = “ “(tried with and without entries)
HKLM\System\currentcontrolset\services\lanmanserver\parameters\NullSessionShares = “COMCFG, DFS$ “ (tried with and without entries)
Reboot
From my desktop -> net use \\<server-name>\IPC$ /u:”” “”
Result = Successful
I had a thought that maybe these settings were getting changed back after reboots by the local security policy, so I ran through a number of these tests again, and added a step after reboots to check the local security policy to ensure they were not getting
changed.
After doing all of these tests, I tested again with the <server-name> server and I connected FROM a machine that is not on the domain, to make sure there was not a GPO, or some kind of domain trust playing into this. The results of these tests were
the same.
and just to clarify i had RestrictNullSessAccess = 1
and i tried this:
found here - http://social.technet.microsoft.com/Forums/en-US/winservergen/thread/841523db-8c4b-43a0-9f28-be7270f92e2b
There are 6 policies listed below that controls what information can be accessed anonymously. These policies are located in local group policy
editor under Computer Configuration\Windows Settings\SecuritySettings\Local Policies\SecurityOptions.
1.
Network access: Allow anonymous SID/Name translation
2.
Network access: Do not allow anonymous enumeration of SAM accounts
3.
Network access: Do not allow anonymous enumeration of SAM accounts and shares
4.
Network access: Let Everyone permissions apply to anonymous users
5.
Network access: Named Pipes that can be accessed anonymously
6.
Network access: Shares that can be accessed anonymously
In order to completely disable anonymous logons, you can disable policy 1 and 4, enable policy 2 and 3, and specifying empty lists for policy
5 and 6.
I CANNOT GET THE SERVER TO STOP ALLOWING ANONYMOUS CONNECTIONS TO IPC$ OR TO -\\<server>\-
Links to MS articles:
RestrictAnonymous (server 2003)- http://technet.microsoft.com/en-us/library/cc783167(WS.10).aspx
Named Pipes Firewall (server 2003) - http://support.microsoft.com/kb/925890
TurnOffAnonymousBlock - http://social.technet.microsoft.com/Forums/en-US/winserversecurity/thread/b37c3237-94e1-48a5-9f2d-7925106107b7
RestrictNullSessAccess - http://technet.microsoft.com/en-us/library/cc785969%28WS.10%29.aspx
Is this a lost cause?
What am I missing?
IS there even a way to completely disable unauthenticated access to IPC$???
i already know about monitoring with IDS/IPS and I can block access with firewalls.... blah... blah... blah... BUT outside of that, is there a way, either through local security policy / registry / GPO / <insert compensating control here> - to restrict
this?
please advise....
January 20th, 2011 2:40pm