How can I disable unauthenticated connections to IPC$

I want to find out if there is a way to disable unauthenticated access
to the IPC$ share in an effort to remediate the /sarcasm dreaded "Null
Session" vulnerability. Steps I have all ready taken and the results:

The test system was W2K3

The system I connected from was my desktop WinXP on the same domain

Change HKLM\System\currentcontrolset\control\lsa\restrict anonymous = 1
(tried 1 and 2)
RebootFrom my desktop -> net use \\<server-name>\IPC$ /u:”” “”
Result = Successful

Change HKLM\System\currentcontrolset\control\lsa\restrict anonymous = 1
(tried 1 and 2)
Add new key HKLM\System\currentcontrolset\control
\TurnOffAnonymousBlock = 0
Reboot
From my desktop -> net use \\<server-name>\IPC$ /u:”” “”
Result = Successful

Change HKLM\System\currentcontrolset\control\lsa\restrict anonymous = 1
(tried 1 and 2)
Add new key HKLM\System\currentcontrolset\control
\TurnOffAnonymousBlock = 0 (tried with and without)
HKLM\System\currentcontrolset\services\lanmanserve r\parameters
\NullSessionPipes = “COMNAP, COMNODE, SQL\QUERY, SPOOLSS,
LLSRPC“ (took out browser)
HKLM\System\currentcontrolset\services\lanmanserve r\parameters
\NullSessionShares = “COMCFG, DFS$ “ (tried with and without entries)
Reboot
From my desktop -> net use \\<server-name>\IPC$ /u:”” “”
Result = Successful

Change HKLM\System\currentcontrolset\control\lsa\restrict anonymous = 1
(tried 1 and 2)
Add new key HKLM\System\currentcontrolset\control
\TurnOffAnonymousBlock = 0 (tried with and without)
HKLM\System\currentcontrolset\services\lanmanserve r\parameters
\NullSessionPipes = “COMNAP, COMNODE, SQL\QUERY, SPOOLSS,
LLSRPC“ (took out browser)
HKLM\System\currentcontrolset\services\lanmanserve r\parameters
\NullSessionShares = “COMCFG, DFS$ “ (tried with and without entries)
Reboot
From my desktop -> net use \\<server-name>\IPC$ /u:”” “”
Result = Successful

Change HKLM\System\currentcontrolset\control\lsa\restrict anonymous = 1
(tried 1 and 2)
Add new key HKLM\System\currentcontrolset\control
\TurnOffAnonymousBlock = 0 (tried with and without)
HKLM\System\currentcontrolset\services\lanmanserve r\parameters
\NullSessionPipes = “ “ (took out all entries)
HKLM\System\currentcontrolset\services\lanmanserve r\parameters
\NullSessionShares = “COMCFG, DFS$ “ (tried with and without entries)
Reboot
From my desktop -> net use \\<server-name>\IPC$ /u:”” “”
Result = Successful

Change HKLM\System\currentcontrolset\control\lsa\restrict anonymous = 1
(tried 1 and 2)
Add new key HKLM\System\currentcontrolset\control
\TurnOffAnonymousBlock = 0 (tried with and without)
HKLM\System\currentcontrolset\services\lanmanserve r\parameters
\NullSessionPipes = “ “ (tried with and without entries)
HKLM\System\currentcontrolset\services\lanmanserve r\parameters
\NullSessionShares = “COMCFG, DFS$ “ (tried with and without entries)
Reboot
From my desktop -> net use \\<server-name>\IPC$ /u:”” “”
Result = Successful

Add new key HKLM\System\currentcontrolset\services\lanmanserve r
\parameters\PipeFirewallActive = 1
Add new key HKLM\System\currentcontrolset\services\lanmanserve r
\parameters\AllowedPipes = “Netlogon, lsarpc, samr, srvsvc,
wkssvc” (left out BROWSER)
Change HKLM\System\currentcontrolset\control\lsa\restrict anonymous = 1
(tried 1 and 2)
Add new key HKLM\System\currentcontrolset\control
\TurnOffAnonymousBlock = 0 (tried with and without)
HKLM\System\currentcontrolset\services\lanmanserve r\parameters
\NullSessionPipes = “COMNAP, COMNODE, SQL\QUERY, SPOOLSS, LLSRPC,
BROWSER“
HKLM\System\currentcontrolset\services\lanmanserve r\parameters
\NullSessionShares = “COMCFG, DFS$ “ (tried with and without entries)
Reboot
From my desktop -> net use \\<server-name>\IPC$ /u:”” “”
Result = Successful

Add new key HKLM\System\currentcontrolset\services\lanmanserve r
\parameters\PipeFirewallActive = 1
Add new key HKLM\System\currentcontrolset\services\lanmanserve r
\parameters\AllowedPipes = “ ” (took out all entries)
Change HKLM\System\currentcontrolset\control\lsa\restrict anonymous = 1
(tried 1 and 2)
Add new key HKLM\System\currentcontrolset\control
\TurnOffAnonymousBlock = 0 (tried with and without)
HKLM\System\currentcontrolset\services\lanmanserve r\parameters
\NullSessionPipes = “ “(tried with and without entries)
HKLM\System\currentcontrolset\services\lanmanserve r\parameters
\NullSessionShares = “COMCFG, DFS$ “ (tried with and without entries)
Reboot
From my desktop -> net use \\<server-name>\IPC$ /u:”” “”
Result = Successful

I had a thought that maybe these settings were getting changed back
after reboots by the local security policy, so I ran through a number
of these tests again, and added a step after reboots to check the
local security policy to ensure they were not getting changed.

After doing all of these tests, I tested again with the <server-name>
server and I connected FROM a machine that is not on the domain, to
make sure there was not a GPO, or some kind of domain trust playing
into this. The results of these tests were the same.

and just to clarify i had RestrictNullSessAccess = 1

and i tried this:
found here - http://social.technet.microsoft.com/...8-be7270f92e2b
There are 6 policies listed below that controls what information can
be accessed anonymously. These policies are located in local group
policy editor under Computer Configuration\Windows Settings
\SecuritySettings\Local Policies\SecurityOptions.
1. Network access: Allow anonymous SID/Name translation
2. Network access: Do not allow anonymous enumeration of SAM
accounts
3. Network access: Do not allow anonymous enumeration of SAM
accounts and shares
4. Network access: Let Everyone permissions apply to anonymous
users
5. Network access: Named Pipes that can be accessed anonymously
6. Network access: Shares that can be accessed anonymously
In order to completely disable anonymous logons, you can disable
policy 1 and 4, enable policy 2 and 3, and specifying empty lists for
policy 5 and 6.

I CANNOT GET THE SERVER TO STOP ALLOWING ANONYMOUS CONNECTIONS TO IPC$
OR TO -\\<server>\-

Links to MS articles:
RestrictAnonymous (server 2003)- http://technet.microsoft.com/en-us/l...67(WS.10).aspx
Named Pipes Firewall (server 2003) - http://support.microsoft.com/kb/925890
TurnOffAnonymousBlock -
http://social.technet.microsoft.com/...d-7925106107b7
RestrictNullSessAccess - http://technet.microsoft.com/en-us/l...8WS.10%29.aspx

Is this a lost cause?
What am I missing?
IS there even a way to completely disable unauthenticated access to IPC
$???

i already know about monitoring with IDS/IPS and I can block access
with firewalls.... blah... blah... blah... BUT outside of that, is
there a way, either through local security policy / registry / GPO /
<insert compensating control here> - to restrict this?

please advise....

"The [IPC$] share is used for browsing purposes as well as to establish TCP/IP connections."

source: samba.org/samba/docs/man/Samba-HOWTO-Collection/securing-samba.html


"Another method by which Samba may be secured is by setting Access Control Entries (ACEs) in an Access Control List (ACL) on the shares themselves."


Well, I reckon it might be easier just to use iptables/netfilter, and filter any SMB protocol packet containing the string "ANONYMOUS IDENTIFIER" , so up comes the wireshark / packet sniffer

if theres NTLMv1 or v2/keberos crypto, hmmm another layer of complication.