Wednesday, January 11, 2012

Null Session Countermeasure


--Null sessions require access to TCP 139 and/ or TCP 445 ports.

--You could also disable SMB services entirely on individual hosts by unbinding WINS Client TCP/IP from the interface.

--Edit the registry to restrict the anonymous user.

     -----Open regedt32, navigate to            HKLM\SYSTEM\CurrentControlSet\LSA

     -----Choose edit | add value
          value name: ResticAnonymous

          Data Type: REG WORD

          Value: 2

 "HKLM" refers to the hive "HKEY_LOCAL_MACHINE". If this is set to "1" anonymous connections are restricted. However, an anonymous user can still connect to the IPC$ share, though he is restricted as to which information is obtainable through that connection. A value of "1" restricts anonymous users from enumerating SAM accounts and shares. A Value of "2", added in Windows 2000, restricts all anonymous access unless clearly granted. Therefore, the first registry key to check would be:

HKLM\System\CurrentControlSet\Control\Lsa\RestrictAnonymous

The other keys to inspect are:

HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters \NullSessionShares
and HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\NullSessionPipes


These are MULTI_SZ (multi-line string) registry parameters that list the shares and pipes, respectively, that are open to null sessions. These keys should be verified so that no unwarranted shares or pipes are open. Moreover, those open should be secured such that only 'SYSTEM' or "Administrators' have access to modifying these keys.

In Windows 2000, the domain security policy lays down the protection measures for the domain controller. On systems that are not domain controllers, the 'Local Security Policy' must be configured to restrict anonymous connections. The value "No access without explicit anonymous permission" is the most secure and the equivalent of 2 in the registry value of the key HKLM\System\CurrentControlSet\Control\Lsa\RestrictAnonymous discussed above.

Another step that is advisable is to disallow remote access completely except for specific accounts and groups. It would be prudent to block NetBIOS ports on the firewall or border router to increase network security. Blocking the following ports will prevent against Null Sessions (as well as other attacks that use NetBIOS)

135 TCP DCE/RPC Portmapper

137 TCP/UDP NetBIOS Name Service

138 TCP/UDP NetBIOS Datagram Service

139 TCP NetBIOS Session Service

445 TCP Microsoft-DS (Windows 2000 CIFS/SMB)

A best practice that comes in handy is to stop all services that are not otherwise required for the functioning of the system.

---
Amarjit Singh

No comments:

Post a Comment