Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

How can I disable unauthenticated connections to IPC$

1,249 views
Skip to first unread message

zerotrace

unread,
Jan 21, 2011, 10:05:58 AM1/21/11
to
I want to find out if there is a way to disable unauthenticated access
to the IPC$ share in an effort to remediate the /sarcasm dreaded "Null
Session" vulnerability. Steps I have all ready taken and the results:

The test system was W2K3

The system I connected from was my desktop WinXP on the same domain

Change HKLM\System\currentcontrolset\control\lsa\restrictanonymous = 1
(tried 1 and 2)
RebootFrom my desktop -> net use \\<server-name>\IPC$ /u:”” “”
Result = Successful

Change HKLM\System\currentcontrolset\control\lsa\restrictanonymous = 1
(tried 1 and 2)
Add new key HKLM\System\currentcontrolset\control
\TurnOffAnonymousBlock = 0
Reboot
From my desktop -> net use \\<server-name>\IPC$ /u:”” “”
Result = Successful

Change HKLM\System\currentcontrolset\control\lsa\restrictanonymous = 1
(tried 1 and 2)
Add new key HKLM\System\currentcontrolset\control
\TurnOffAnonymousBlock = 0 (tried with and without)
HKLM\System\currentcontrolset\services\lanmanserver\parameters
\NullSessionPipes = “COMNAP, COMNODE, SQL\QUERY, SPOOLSS,
LLSRPC“ (took out browser)
HKLM\System\currentcontrolset\services\lanmanserver\parameters
\NullSessionShares = “COMCFG, DFS$ “ (tried with and without entries)
Reboot
From my desktop -> net use \\<server-name>\IPC$ /u:”” “”
Result = Successful

Change HKLM\System\currentcontrolset\control\lsa\restrictanonymous = 1
(tried 1 and 2)
Add new key HKLM\System\currentcontrolset\control
\TurnOffAnonymousBlock = 0 (tried with and without)
HKLM\System\currentcontrolset\services\lanmanserver\parameters
\NullSessionPipes = “COMNAP, COMNODE, SQL\QUERY, SPOOLSS,
LLSRPC“ (took out browser)
HKLM\System\currentcontrolset\services\lanmanserver\parameters
\NullSessionShares = “COMCFG, DFS$ “ (tried with and without entries)
Reboot
From my desktop -> net use \\<server-name>\IPC$ /u:”” “”
Result = Successful

Change HKLM\System\currentcontrolset\control\lsa\restrictanonymous = 1
(tried 1 and 2)
Add new key HKLM\System\currentcontrolset\control
\TurnOffAnonymousBlock = 0 (tried with and without)
HKLM\System\currentcontrolset\services\lanmanserver\parameters
\NullSessionPipes = “ “ (took out all entries)
HKLM\System\currentcontrolset\services\lanmanserver\parameters
\NullSessionShares = “COMCFG, DFS$ “ (tried with and without entries)
Reboot
From my desktop -> net use \\<server-name>\IPC$ /u:”” “”
Result = Successful

Change HKLM\System\currentcontrolset\control\lsa\restrictanonymous = 1
(tried 1 and 2)
Add new key HKLM\System\currentcontrolset\control
\TurnOffAnonymousBlock = 0 (tried with and without)
HKLM\System\currentcontrolset\services\lanmanserver\parameters
\NullSessionPipes = “ “ (tried with and without entries)
HKLM\System\currentcontrolset\services\lanmanserver\parameters
\NullSessionShares = “COMCFG, DFS$ “ (tried with and without entries)
Reboot
From my desktop -> net use \\<server-name>\IPC$ /u:”” “”
Result = Successful

Add new key HKLM\System\currentcontrolset\services\lanmanserver
\parameters\PipeFirewallActive = 1
Add new key HKLM\System\currentcontrolset\services\lanmanserver
\parameters\AllowedPipes = “Netlogon, lsarpc, samr, srvsvc,
wkssvc” (left out BROWSER)
Change HKLM\System\currentcontrolset\control\lsa\restrictanonymous = 1
(tried 1 and 2)
Add new key HKLM\System\currentcontrolset\control
\TurnOffAnonymousBlock = 0 (tried with and without)
HKLM\System\currentcontrolset\services\lanmanserver\parameters
\NullSessionPipes = “COMNAP, COMNODE, SQL\QUERY, SPOOLSS, LLSRPC,
BROWSER“
HKLM\System\currentcontrolset\services\lanmanserver\parameters
\NullSessionShares = “COMCFG, DFS$ “ (tried with and without entries)
Reboot
From my desktop -> net use \\<server-name>\IPC$ /u:”” “”
Result = Successful

Add new key HKLM\System\currentcontrolset\services\lanmanserver
\parameters\PipeFirewallActive = 1
Add new key HKLM\System\currentcontrolset\services\lanmanserver
\parameters\AllowedPipes = “ ” (took out all entries)
Change HKLM\System\currentcontrolset\control\lsa\restrictanonymous = 1
(tried 1 and 2)
Add new key HKLM\System\currentcontrolset\control
\TurnOffAnonymousBlock = 0 (tried with and without)
HKLM\System\currentcontrolset\services\lanmanserver\parameters
\NullSessionPipes = “ “(tried with and without entries)
HKLM\System\currentcontrolset\services\lanmanserver\parameters
\NullSessionShares = “COMCFG, DFS$ “ (tried with and without entries)
Reboot
From my desktop -> net use \\<server-name>\IPC$ /u:”” “”
Result = Successful

I had a thought that maybe these settings were getting changed back
after reboots by the local security policy, so I ran through a number
of these tests again, and added a step after reboots to check the
local security policy to ensure they were not getting changed.

After doing all of these tests, I tested again with the <server-name>
server and I connected FROM a machine that is not on the domain, to
make sure there was not a GPO, or some kind of domain trust playing
into this. The results of these tests were the same.

and just to clarify i had RestrictNullSessAccess = 1

and i tried this:
found here - http://social.technet.microsoft.com/Forums/en-US/winservergen/thread/841523db-8c4b-43a0-9f28-be7270f92e2b
There are 6 policies listed below that controls what information can
be accessed anonymously. These policies are located in local group
policy editor under Computer Configuration\Windows Settings
\SecuritySettings\Local Policies\SecurityOptions.
1. Network access: Allow anonymous SID/Name translation
2. Network access: Do not allow anonymous enumeration of SAM
accounts
3. Network access: Do not allow anonymous enumeration of SAM
accounts and shares
4. Network access: Let Everyone permissions apply to anonymous
users
5. Network access: Named Pipes that can be accessed anonymously
6. Network access: Shares that can be accessed anonymously
In order to completely disable anonymous logons, you can disable
policy 1 and 4, enable policy 2 and 3, and specifying empty lists for
policy 5 and 6.

I CANNOT GET THE SERVER TO STOP ALLOWING ANONYMOUS CONNECTIONS TO IPC$
OR TO -\\<server>\-

Links to MS articles:
RestrictAnonymous (server 2003)- http://technet.microsoft.com/en-us/library/cc783167(WS.10).aspx
Named Pipes Firewall (server 2003) - http://support.microsoft.com/kb/925890
TurnOffAnonymousBlock -
http://social.technet.microsoft.com/Forums/en-US/winserversecurity/thread/b37c3237-94e1-48a5-9f2d-7925106107b7
RestrictNullSessAccess - http://technet.microsoft.com/en-us/library/cc785969%28WS.10%29.aspx

Is this a lost cause?
What am I missing?
IS there even a way to completely disable unauthenticated access to IPC
$???

i already know about monitoring with IDS/IPS and I can block access
with firewalls.... blah... blah... blah... BUT outside of that, is
there a way, either through local security policy / registry / GPO /
<insert compensating control here> - to restrict this?

please advise....

0 new messages