How can I disable unauthenticated connections to IPC$

Discussion in 'Windows Networking' started by zerotrace, Jan 21, 2011.

  1. zerotrace

    zerotrace Guest

    I want to find out if there is a way to disable unauthenticated access
    to the IPC$ share in an effort to remediate the /sarcasm dreaded "Null
    Session" vulnerability. Steps I have all ready taken and the results:

    The test system was W2K3

    The system I connected from was my desktop WinXP on the same domain

    Change HKLM\System\currentcontrolset\control\lsa\restrictanonymous = 1
    (tried 1 and 2)
    RebootFrom my desktop -> net use \\<server-name>\IPC$ /u:”” “”
    Result = Successful

    Change HKLM\System\currentcontrolset\control\lsa\restrictanonymous = 1
    (tried 1 and 2)
    Add new key HKLM\System\currentcontrolset\control
    \TurnOffAnonymousBlock = 0
    Reboot
    From my desktop -> net use \\<server-name>\IPC$ /u:”” “”
    Result = Successful

    Change HKLM\System\currentcontrolset\control\lsa\restrictanonymous = 1
    (tried 1 and 2)
    Add new key HKLM\System\currentcontrolset\control
    \TurnOffAnonymousBlock = 0 (tried with and without)
    HKLM\System\currentcontrolset\services\lanmanserver\parameters
    \NullSessionPipes = “COMNAP, COMNODE, SQL\QUERY, SPOOLSS,
    LLSRPC“ (took out browser)
    HKLM\System\currentcontrolset\services\lanmanserver\parameters
    \NullSessionShares = “COMCFG, DFS$ “ (tried with and without entries)
    Reboot
    From my desktop -> net use \\<server-name>\IPC$ /u:”” “”
    Result = Successful

    Change HKLM\System\currentcontrolset\control\lsa\restrictanonymous = 1
    (tried 1 and 2)
    Add new key HKLM\System\currentcontrolset\control
    \TurnOffAnonymousBlock = 0 (tried with and without)
    HKLM\System\currentcontrolset\services\lanmanserver\parameters
    \NullSessionPipes = “COMNAP, COMNODE, SQL\QUERY, SPOOLSS,
    LLSRPC“ (took out browser)
    HKLM\System\currentcontrolset\services\lanmanserver\parameters
    \NullSessionShares = “COMCFG, DFS$ “ (tried with and without entries)
    Reboot
    From my desktop -> net use \\<server-name>\IPC$ /u:”” “”
    Result = Successful

    Change HKLM\System\currentcontrolset\control\lsa\restrictanonymous = 1
    (tried 1 and 2)
    Add new key HKLM\System\currentcontrolset\control
    \TurnOffAnonymousBlock = 0 (tried with and without)
    HKLM\System\currentcontrolset\services\lanmanserver\parameters
    \NullSessionPipes = “ “ (took out all entries)
    HKLM\System\currentcontrolset\services\lanmanserver\parameters
    \NullSessionShares = “COMCFG, DFS$ “ (tried with and without entries)
    Reboot
    From my desktop -> net use \\<server-name>\IPC$ /u:”” “”
    Result = Successful

    Change HKLM\System\currentcontrolset\control\lsa\restrictanonymous = 1
    (tried 1 and 2)
    Add new key HKLM\System\currentcontrolset\control
    \TurnOffAnonymousBlock = 0 (tried with and without)
    HKLM\System\currentcontrolset\services\lanmanserver\parameters
    \NullSessionPipes = “ “ (tried with and without entries)
    HKLM\System\currentcontrolset\services\lanmanserver\parameters
    \NullSessionShares = “COMCFG, DFS$ “ (tried with and without entries)
    Reboot
    From my desktop -> net use \\<server-name>\IPC$ /u:”” “”
    Result = Successful

    Add new key HKLM\System\currentcontrolset\services\lanmanserver
    \parameters\PipeFirewallActive = 1
    Add new key HKLM\System\currentcontrolset\services\lanmanserver
    \parameters\AllowedPipes = “Netlogon, lsarpc, samr, srvsvc,
    wkssvc” (left out BROWSER)
    Change HKLM\System\currentcontrolset\control\lsa\restrictanonymous = 1
    (tried 1 and 2)
    Add new key HKLM\System\currentcontrolset\control
    \TurnOffAnonymousBlock = 0 (tried with and without)
    HKLM\System\currentcontrolset\services\lanmanserver\parameters
    \NullSessionPipes = “COMNAP, COMNODE, SQL\QUERY, SPOOLSS, LLSRPC,
    BROWSER“
    HKLM\System\currentcontrolset\services\lanmanserver\parameters
    \NullSessionShares = “COMCFG, DFS$ “ (tried with and without entries)
    Reboot
    From my desktop -> net use \\<server-name>\IPC$ /u:”” “”
    Result = Successful

    Add new key HKLM\System\currentcontrolset\services\lanmanserver
    \parameters\PipeFirewallActive = 1
    Add new key HKLM\System\currentcontrolset\services\lanmanserver
    \parameters\AllowedPipes = “ ” (took out all entries)
    Change HKLM\System\currentcontrolset\control\lsa\restrictanonymous = 1
    (tried 1 and 2)
    Add new key HKLM\System\currentcontrolset\control
    \TurnOffAnonymousBlock = 0 (tried with and without)
    HKLM\System\currentcontrolset\services\lanmanserver\parameters
    \NullSessionPipes = “ “(tried with and without entries)
    HKLM\System\currentcontrolset\services\lanmanserver\parameters
    \NullSessionShares = “COMCFG, DFS$ “ (tried with and without entries)
    Reboot
    From my desktop -> net use \\<server-name>\IPC$ /u:”” “”
    Result = Successful

    I had a thought that maybe these settings were getting changed back
    after reboots by the local security policy, so I ran through a number
    of these tests again, and added a step after reboots to check the
    local security policy to ensure they were not getting changed.

    After doing all of these tests, I tested again with the <server-name>
    server and I connected FROM a machine that is not on the domain, to
    make sure there was not a GPO, or some kind of domain trust playing
    into this. The results of these tests were the same.

    and just to clarify i had RestrictNullSessAccess = 1

    and i tried this:
    found here - http://social.technet.microsoft.com...n/thread/841523db-8c4b-43a0-9f28-be7270f92e2b
    There are 6 policies listed below that controls what information can
    be accessed anonymously. These policies are located in local group
    policy editor under Computer Configuration\Windows Settings
    \SecuritySettings\Local Policies\SecurityOptions.
    1. Network access: Allow anonymous SID/Name translation
    2. Network access: Do not allow anonymous enumeration of SAM
    accounts
    3. Network access: Do not allow anonymous enumeration of SAM
    accounts and shares
    4. Network access: Let Everyone permissions apply to anonymous
    users
    5. Network access: Named Pipes that can be accessed anonymously
    6. Network access: Shares that can be accessed anonymously
    In order to completely disable anonymous logons, you can disable
    policy 1 and 4, enable policy 2 and 3, and specifying empty lists for
    policy 5 and 6.

    I CANNOT GET THE SERVER TO STOP ALLOWING ANONYMOUS CONNECTIONS TO IPC$
    OR TO -\\<server>\-

    Links to MS articles:
    RestrictAnonymous (server 2003)- http://technet.microsoft.com/en-us/library/cc783167(WS.10).aspx
    Named Pipes Firewall (server 2003) - http://support.microsoft.com/kb/925890
    TurnOffAnonymousBlock -
    http://social.technet.microsoft.com...y/thread/b37c3237-94e1-48a5-9f2d-7925106107b7
    RestrictNullSessAccess - http://technet.microsoft.com/en-us/library/cc785969(WS.10).aspx

    Is this a lost cause?
    What am I missing?
    IS there even a way to completely disable unauthenticated access to IPC
    $???

    i already know about monitoring with IDS/IPS and I can block access
    with firewalls.... blah... blah... blah... BUT outside of that, is
    there a way, either through local security policy / registry / GPO /
    <insert compensating control here> - to restrict this?

    please advise....
     
    zerotrace, Jan 21, 2011
    #1
    1. Advertisements

  2. zerotrace

    koolholio

    Joined:
    Mar 26, 2011
    Messages:
    10
    Likes Received:
    0
    "The [IPC$] share is used for browsing purposes as well as to establish TCP/IP connections."

    source: samba.org/samba/docs/man/Samba-HOWTO-Collection/securing-samba.html


    "Another method by which Samba may be secured is by setting Access Control Entries (ACEs) in an Access Control List (ACL) on the shares themselves."


    Well, I reckon it might be easier just to use iptables/netfilter, and filter any SMB protocol packet containing the string "ANONYMOUS IDENTIFIER" , so up comes the wireshark / packet sniffer

    if theres NTLMv1 or v2/keberos crypto, hmmm another layer of complication.
     
    koolholio, Mar 26, 2011
    #2
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.