Search Hints:
Try searching for a product or vendor.
Only vulnerabilities that match all search terms will be returned.
Enclose search terms in double quotes for an exact search.
For CVE searches, only enter the CVE-YYYY-XXXX code.

NeXpose Vulnerability Database

< Previous Next >

CIFS NULL Session Permitted

Severity	CVSS	Published	Added	Modified
Moderate (2)	N/A	N/A	Nov 1, 2004	Dec 4, 2007

Description:

NULL sessions allow anonymous users to establish unauthenticated CIFS sessions with Windows or third-party CIFS implementations such as Samba or the Solaris CIFS Server. These anonymous users may be able to enumerate local users, groups, servers, shares, domains, domain policies, and may be able to access various MSRPC services through RPC function calls. These services have been historically affected by numerous vulnerabilities. The wealth of information available to attackers through NULL sessions may also allow them to carry out more sophisticated attacks.

References:

Solution:

Microsoft Windows 2003, Microsoft Windows Server 2003, Standard Edition, Microsoft Windows Server 2003, Enterprise Edition, Microsoft Windows Server 2003, Datacenter Edition, Microsoft Windows Server 2003, Web Edition, Microsoft Windows Small Business Server 2003

Disable NULL sessions

Modify the registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\

with the following values:

      Value Name: RestrictAnonymous
      Data Type: REG_DWORD
      Data Value: 1

      Value Name: RestrictAnonymousSAM
      Data Type: REG_DWORD
      Data Value: 1

      Value Name: EveryoneIncludesAnonymous
      Data Type: REG_DWORD
      Data Value: 0

and set the following value to 0 (or, alternatively, delete it):

      Value Name: TurnOffAnonymousBlock
      Data Type: REG_DWORD
      Data Value: 0

Modify the registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\

with the following values:

      Value Name: RestrictNullSessAccess
      Data Type: REG_DWORD
      Data Value: 1

      Value Name: NullSessionPipes
      Data Type: REG_MULTI_SZ
      Data Value: "" (empty string, without quotes)

Open Local Security Settings, and disable the following setting:

       Security Settings -> Local Policies -> Security Options ->
       Network access: Allow anonymous SID/Name translation: Disabled

Finally, reboot the machine.

Please note that disabling NULL sessions may have an adverse impact on functionality, as some applications and network environments may depend on them for proper operation. Refer to Microsoft Knowledge Base Article Q246261 for more information.

Microsoft Windows XP, Microsoft Windows XP Home, Microsoft Windows XP Professional

Disable NULL sessions

Modify the registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\

with the following values:

      Value Name: RestrictAnonymous
      Data Type: REG_DWORD
      Data Value: 1

      Value Name: RestrictAnonymousSAM
      Data Type: REG_DWORD
      Data Value: 1

      Value Name: EveryoneIncludesAnonymous
      Data Type: REG_DWORD
      Data Value: 0

Modify the registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\

with the following values:

      Value Name: RestrictNullSessAccess
      Data Type: REG_DWORD
      Data Value: 1

      Value Name: NullSessionPipes
      Data Type: REG_MULTI_SZ
      Data Value: "" (empty string, without quotes)

Open Local Security Settings, and disable the following setting:

       Security Settings -> Local Policies -> Security Options ->
       Network access: Allow anonymous SID/Name translation: Disabled

Finally, reboot the machine.

Microsoft Windows 2000, Microsoft Windows 2000 Professional, Microsoft Windows 2000 Server, Microsoft Windows 2000 Advanced Server, Microsoft Windows 2000 Datacenter Server
Disable NULL sessions

Modify the registry key:
```
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\
```
with the following value:
```
      Value Name: RestrictAnonymous
      Data Type: REG_DWORD
      Data Value: 2
```
After modifying the registry, reboot the machine.

Please note that disabling NULL sessions may have an adverse impact on functionality, as some applications and network environments may depend on them for proper operation. Refer to Microsoft Knowledge Base Article Q246261 for more information.
Microsoft Windows NT Server 4.0, Microsoft Windows NT Server, Enterprise Edition 4.0, Microsoft Windows NT Workstation 4.0
Install Microsoft service pack Windows NT4 Service Pack 4
Download and apply the upgrade from: http://support.microsoft.com/sp
Microsoft Windows NT, Microsoft Windows NT Workstation, Microsoft Windows NT Server, Microsoft Windows NT Advanced Server, Microsoft Windows NT Server, Enterprise Edition, Microsoft Windows NT Server, Terminal Server Edition
Disable NULL sessions

Modify the registry key:
```
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\
```
with the following value:
```
      Value Name: RestrictAnonymous
      Data Type: REG_DWORD
      Data Value: 1
```
After modifying the registry, reboot the machine.

It is important to note that on Windows NT 4.0 systems, setting this registry entry will still leave the system open to various attacks, including brute-force enumeration of users and groups. A complete solution for Windows NT 4.0 systems is not available.

Samba on Linux

Restrict anonymous access

To restrict anonymous access to Samba, modify your "smb.conf" settings as follows:

                    guest account = nosuchuser
                    restrict anonymous = yes

Note: Make sure you do NOT list a user "nosuchuser" in your password file.

Novell NetWare
Novell Netware CIFS
As of May 9, 2007 Novell Netware CIFS does not provide a workaround for this vulnerability.

Information on these pages is summary information extracted from the NeXpose Vulnerabilty Assessment system. Full details are provided within the NeXpose product for licensed users.