Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Disable Null Sessions

124 views
Skip to first unread message

James

unread,
Jan 12, 2010, 4:08:47 PM1/12/10
to
We had an audit and were told to disable null sessions on all of our
servers. I found that we could use group policy to accomplish this. I have
enabled the following settings on a test OU and moved a server to that OU.

Network access: Do not allow anonymous enumeration of SAM accounts
Enabled
Network access: Do not allow anonymous enumeration of SAM accounts and
shares Enabled

I was wondering the easiest way to verify that the null sessions have been
disabled? I downloaded a few applications that stated they would check this.
When I try to test I get the same results on my existing servers as I do on
the server that I put in the test OU with the GPO.


Thanks,
James


James

unread,
Jan 12, 2010, 5:14:33 PM1/12/10
to
I noticed that when I scan the windows 2000 server that I have I can get
back the list of local users and groups. When I scan my windows 2003 member
servers I dont get anything back. When I scan my 2003 domain controllers I
get back a list of users and groups. What is the best way to apply settings
to the server to disable the ability to retrieve this information?


"James" <acid...@hotmail.com> wrote in message
news:eLIrmo8k...@TK2MSFTNGP02.phx.gbl...

JASON ARCHER

unread,
Jan 20, 2010, 2:50:31 PM1/20/10
to
What tools are you using. Many report false positive in that you can
connect to the IPC$ but are unable to enumerate any further information like
user accounts and domain machines.

So basically if you're tools state you have null sessions enabled but does
not retrieve account information then you're fixed.

Try Nessus tool as an example.

Rgds


On 12/01/2010 21:08, in article eLIrmo8k...@TK2MSFTNGP02.phx.gbl,

Dave Warren

unread,
Jan 20, 2010, 3:44:57 PM1/20/10
to
In message <C77D0F07.162B%jason_...@btinternet.com> JASON ARCHER

<jason_...@btinternet.com> was claimed to have wrote:

>What tools are you using. Many report false positive in that you can
>connect to the IPC$ but are unable to enumerate any further information like
>user accounts and domain machines.
>
>So basically if you're tools state you have null sessions enabled but does
>not retrieve account information then you're fixed.
>
>Try Nessus tool as an example.

Are you suggesting Nessus tool as an example to retrieve information? Or
as an example of a tool that does it wrong?

JASON ARCHER

unread,
Jan 21, 2010, 3:01:22 PM1/21/10
to Dave Warren
Little bit of both really, you can use the tool to identify if you have
'NULL' sessions that are insecure. If it returns users and machine info
then you have a problem, if it just returns the fact the NULL sessions are
enabled you're ok - I've never understood why they've never fixed it.


On 20/01/2010 20:44, in article 7cqel51di4b537pq2...@4ax.com,

James

unread,
Feb 3, 2010, 4:02:07 PM2/3/10
to
When scannin gmy singl ewindows 2000 member server I can get back a list of
usernames. When I scan my windows 2003 domain controllers i c an get back a
list of usernames. My 2003 member server do not give a list of usernames. I
am not sure how to prevent the 2000 server and the 2003 domain controllers
from providing the usernames. Any help would be great.

Thanks

"JASON ARCHER" <jason_...@btinternet.com> wrote in message
news:C77E6312.1646%jason_...@btinternet.com...

0 new messages