No announcement yet.

RestrictAnonymous & Null session questions

  • Filter
  • Time
  • Show
Clear All
new posts

  • RestrictAnonymous & Null session questions

    Sorry for the long post, but we are about to implement RestrictAnonymous 2 across the board on servers and possibly clients as well. While many of our boxes have already been configured with this setting, I'm still unsure of it's impact on some of our more critical servers.

    I understand that this restricts null users by pulling the null session access token out of the "Everyone" group and denies anything without implicit access to the SAM database.

    Microsoft has a warning about the use of this setting on 2k DCs on Q246261. How much of this applies to 2k3 as well?

    "The following tasks are restricted when the RestrictAnonymous registry value is set to 2 on a Windows 2000-based domain controller:
    • Down-level member workstations or servers are not able to set up a netlogon secure channel.
    • Down-level domain controllers in trusting domains are not be able to set up a netlogon secure channel.
    • Microsoft Windows NT users are not able to change their passwords after they expire. Also, Macintosh users are not able to change their passwords at all.
    • The Browser service is not able to retrieve domain lists or server lists from backup browsers, master browsers or domain master browsers that are running on computers with the RestrictAnonymous registry value set to 2. Because of this, any program that relies on the Browser service does not function properly."
    What about when applied to a client (when does a server need to create a null session to a client, will it break secure channel replication or challenge/response when applied)? What about downlevel servers and clients? What other common processes rely on null sessions to work? DFS, SMB? What about browser service (I've checked what I could, but I want to make sure that I'm not overlooking anything)? Also wanted to confirm that this does not affect IUSR tokens in any way?

    My main concerns are regarding it's impact to our ecommerce, web, 2003 DCs, mail servers, and a small handful of win2k clients & servers that still exist.

    Are there any other workarounds to protect a 2k3 DC from null session attacks without breaking the above? What about turning on the pipes firewall and disallowing \pipes\browser? Is this essentially the same thing? What else would this potentially break?

    Also is it safe to use TurnOffAnonymousBlock 0 on a 2k3 DC? I wasn't able to find very much info on this key.


  • #2
    Re: RestrictAnonymous & Null session questions

    I received this reply, but I guess it hasn't posted yet:

    If you have no NT systems go to Advanced View in dsa.msc, open the Everyone group and remove ANONYMOUS LOGON. This will lockout null sessions for your DCs. By default ANONYMOUS LOGON won't be there unless your domain is upgraded from NT.
    For everything else this is controlled by default via GPO: "Network access: Let Everyone permissions apply to anonymous users."
    IMO, who gives a hoot if folks can see account names. This is all fluff so "security experts" can talk about something. If you need tight control go with IPSec to keep your servers isolated.
    Thanks for the quick reply. If you're referring to pre-windows 2000 compatible access , I had already previously checked the "Anonymous logon" and "Everyone" memberships. They are not present. We're still able to enumerate SIDs through SMB as well. I'm hoping that the TurnOffAnonymousBlock and possibly the pipes firewall (if we have to go that far) will prevent this, but I don't really want to test this on live controllers until we're absolutely sure. I've run this in a test environment, but it's just not the same.

    Unfortunately this is a compliance issue for us so we have to fix this. Our servers are already isolated and we have very strict ACLs.