Shares enumerated through a null session

Risk Level: Medium risk vulnerability  Medium

Check or Attack Name: NetBIOS shares - null session
Platforms: Windows NT
Description:

Users or shares were detected using a null session. A null session is a NetBIOS connection established with a zero length string as user, password, and domain name, which is designed to enable enumeration of shares and users. This capability has always been present in Windows NT, but was discovered to allow access to the registry with the same level of permissions as the Everyone group. It is a medium risk vulnerability (similar to finger) that allows users and shares to be enumerated.
Remedy:

Windows NT 4.0 users must first apply the latest Windows NT 4.0 Service Pack or the post-SP2 sec-fix patch described later, remove all unnecessary shares, and restrict anonymous connections.

Note: The vulnerability will be flagged if any shares are detected, even if they are not accessible. Windows 95 machines must disable file and print sharing to avoid flagging this vulnerability. If shares are needed and must be secure, consider upgrading to Windows NT running NTFS.

Windows 95: To remove file and print sharing:

  1. Open the Network control panel. From the Windows NT Start menu, select Settings, Control Panel, Network.
  2. From Configuration, click File and Print Sharing.
  3. Disable æI want to be able to give others access to my files.Æ
  4. Disable æI want to be able to allow others to print to my printer(s).Æ
  5. Click OK and restart the computer. The Windows 95 machine no longer allows shares to exist or be created.

Windows NT: Perform the following actions:

Remove unnecessary shares. Choose one of these options:

  • Remove the share from a local computer.

    1. From the local computer, open Windows NT Explorer.
    2. Navigate to the shared folder.
    3. Right-click the shared folder name and select Sharing to display the Properties dialog box.
    4. To disallow access to all users, select the Not Shared check box.

  • Remove the share from a remote computer.

    1. From a remote computer, open the Server Manager.
    2. Select the host name.
    3. From the Computer menu, select Shared Directories to display the Shared Directories dialog box.
    4. Select the NetBIOS share.
    5. Click Stop Sharing.

  • Remove the share from the command line.

    1. From a command prompt, type: net share sharename /delete

—AND—

Apply the latest Windows NT 4.0 Service Pack. Go to http://support.microsoft.com/support/ntserver/Content/ServicePacks/ and follow the directions to download the appropriate service pack for your computer.

Windows NT 4.0 Service Pack 2 (SP2) users must apply the sec-fix patch available from ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/nt40/hotfixes-postSP2/sec-fix/.

—AND—

Restrict anonymous connections by changing the registry. To restrict anonymous connections in Windows NT:

WARNING: Incorrectly using Registry Editor may cause severe and irreparable damage and may require you to reinstall your operating system. Internet Security Systems cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk.

  1. If you have not already done so, apply the latest Windows NT 4.0 Service Pack or the post-SP2 sec-fix patch available from ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/nt40/hotfixes-postSP2/sec-fix/.
  2. Open the Registry Editor. From the Windows NT Start menu, select Run, type regedt32, and click OK.
  3. Go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA.
  4. From the Edit menu, choose Add Value to display the Add Value dialog box.
  5. In the Value Name field, type RestrictAnonymous.
  6. Select REG_DWORD as the Data Type.
  7. Click OK to display the DWORD Editor.
  8. In the Data field, type 1. (Ignore the Radix setting.)
  9. Click OK. Registry Editor adds the key to the registry.
  10. Reboot the system to apply the changes.

Note: Changing the Registry entries is only effective after applying the post-SP2 sec-fix patch or the latest Windows NT Servic
References:

Microsoft Knowledge Base Article Q143475, Windows NT System Key Permits Strong Encryption of the SAM, http://support.microsoft.com/support/kb/articles/q143/4/75.asp

Microsoft Knowledge Base Article Q155363, HOWTO: Regulate Network Access to the Windows NT Registry, http://support.microsoft.com/support/kb/articles/q155/3/63.asp hotfixes-postSP2/sec-fix/Q143474.TXT

Microsoft Knowledge Base Article Q143474, Restricting Information Available to Anonymous Logon Users, http://support.microsoft.com/support/kb/articles/q143/4/74.asp

Microsoft Knowledge Base Article Q143474, Restricting Information Available to Anonymous Logon Users, ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/NT40/hotfixes-postSP2/sec-fix/Q143474.txt

Microsoft Knowledge Base Article Q143475, Windows NT System Key Permits Strong Encryption of the SAM, ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/NT40/hotfixes-postSP2/sec-fix/Q143475.txt hotfixes-postSP2/sec-fix/Q143475.TXT
X-Force Logo
Know Your Risks