View Single Post
Old 11-29-2005, 06:17 PM   #14
Unregistered
Guest Poster
 
Posts: n/a
Default Loss of share access

Someone at iolo sent me this. After reading it and researching on the Internet, it made perfect sense.

What you are describing has to do with the Null sessions exploit of Windows. The Fix Security Vulnerabilities tool of SM6 fixes a security vulnerability in Windows by disabling NULL Sessions to disallow the enumeration of SAM accounts and shares. A NULL session connection is an unauthenticated connection to Windows NT/2000/XP machines and is the number one method for hackers to enumerate information about the machine. From a NULL session hackers can use internal Windows functions, such as Remote Procedure calls, to enumerate information such the true administrator account and password, provide information on passwords, groups, services, users and even active processors. NULL session access can also be used for escalating privileges and perform DoS (Denial of Service) attacks.

The best way to prevent this is to disallow NULL sessions to the fullest extent possible by restricting anonymous users from enumerating SAM accounts and shares on Windows XP, or restricting all anonymous access unless explicitly granted on Windows 2000.

It is primarily recommended that your network administrator, or you under the administrator account login, configure the system to prevent anonymous log on access to all resources, with the exception of resources the anonymous user may have explicitly been given access to. For alternative resolutions, which may also require administrator access, please see the information below.

Reconfigure the Fix Vulnerability Tool

To disable testing for null sessions within the Fix Security Vulnerabilities tool:

1. Start System Mechanic 6.
2. On the left side of the System Mechanic 6 window click on the Protect button.
3. Click on Fix Security Vulnerabilities.
4. Under the Advanced area click on Custom inspection and report.
5. Click on the Next button.
6. Scroll down and locate Network Settings and uncheck the Null Sessions checkbox.


Re-enable the Security Exploit

Please note: re-enabling of this exploit can be hazardous to your system and allow malicious software or viruses to propagate to other computer shares on the network.

Windows 2000

The Windows security vulnerability can be re-enabled by using the Local Security Policy MSC or by manually navigating to the Administrative Tools Control Panel Applet.

1. Click on the Windows Start button, select Settings and click on Control Panel.
2. Double-click on Administrative Tools.
3. Double-click on Local Security Policy.
4. On the left, under Security Settings, double-click on Local Policies, and then select Security Options.
5. On the right, locate and double-click on Additional restrictions for anonymous connections and click on the Local policy setting drop down box. There are 3 possible values to set:

- None. Rely on default permissions
- Do not allow enumeration of SAM accounts and shares
- No access without explicit anonymous permission

The last value, No access without explicit anonymous permissions, is the most secure.

6. Restart the member computer or domain controller for the change to take effect.


Windows XP Home Edition

Windows XP Home Edition is architecturally limited and does not offer the ability of changing Windows policy settings by offering a security applet such as the Local Security Policy applet. Because of this limitation, the vulnerability will need to be manually re-enabled by modifying the Windows system registry.

1. Click on the Windows Start button.
2. In the Open field type regedit.
3. Click the OK button.
4. On the left, click on the plus sign next to HKEY_LOCAL_MACHINE.
5. Click on the plus sign next to SYSTEM.
6. Click on the plus sign next to CurrentControlSet.
7. Click on the plus sign next to Control.
8. Locate and highlight the key (folder looking icon) named Lsa.
9. On the right, double-click on the value named restrictanonymous.
10. Change the value to 0.
11. Scroll back up and click the minus sign next to Control.
12. Scroll back up and click the minus sign next to CurrentControlSet.

If the key ControlSet001 exists:

1. Click the plus sign next to ControlSet001.
2. Click on the plus sign next to Control.
3. Locate and highlight the key (folder looking icon) named Lsa.
4. On the right, double-click on the value named restrictanonymous.
5. Change the value to 0.
6. Scroll back up and click the minus sign next to Control.
7. Click the minus sign next to ControlSet001.

If the key ControlSet002 exists:

1. Click the plus sign next to ControlSet002.
2. Click on the plus sign next to Control.
3. Locate and highlight the key (folder looking icon) named Lsa.
4. On the right, double-click on the value named restrictanonymous.
5. Change the value to 0.
6. Scroll back up and click the minus sign next to Control.
7. Click the minus sign next to ControlSet002.

If more than the above described ControlSet00x registry locations exist then please perform the same steps on each location. When finished, close all open windows and restart the computer.


Windows XP Professional

The Windows security vulnerability can be re-enabled by using the Local Security Policy MSC or by manually navigating to the Administrative Tools Control Panel Applet.

1. Click on the Windows Start button, select Settings and click on Control Panel.
2. Double-click on Administrative Tools.
3. Double-click on Local Security Policy.
4. On the left, under Security Settings, double-click on Local Policies, and then select Security Options.
5. On the right, locate and double-click on each of the following policy settings to ensure they are set to disabled.

Network access: Do not allow anonymous enumeration of SAM accounts
Network access: Do not allow anonymous enumeration of SAM accounts and shares
Network access: Do not allow storage of credentials or .NET Passports for network authentication
Network access: Let everyone permissions apply to anonymous users

6. Select No access without explicit anonymous permissions under.
7. Restart the member computer or domain controller for the change to take effect.
  Reply With Quote