[windows2000] Re: Anon logon
- From: "Daniel Angelucci" <daniel_angelucci@xxxxxxxxxxx>
- To: windows2000@xxxxxxxxxxxxx
- Date: Thu, 08 Aug 2002 07:06:35 -0400
Yup. This is part of the LanMan server settings, so it's on all Windows
2000 versions. I guess on Pro you don't have to worry about the DC issues.
Dan
>From: "Sorin Srbu" <sorin@xxxxxxxxxxxxx>
>Reply-To: windows2000@xxxxxxxxxxxxx
>To: "windows2000@xxxxxxxxxxxxx" <windows2000@xxxxxxxxxxxxx>
>Subject: [windows2000] Re: Anon logon
>Date: Thu, 08 Aug 2002 08:44:32 +0200
>
>
>On Wed, 07 Aug 2002 11:17:26 -0400, Daniel Angelucci wrote:
>
> >There a series of things use the anonymous logon. I would recommend
> >disabling it, but inevitably things may break as a result. In order to
> >disable anonymous logons, go to the local security policy of the machine
>(or
> >implement through group policy) and look for the entry under security
> >options for "Additional Restricitions for Anonymous Connections." Change
> >the value to "No Access Without Explicit Permissions".
> >
> >Also, change the permissions on the registry key
> >"HKLM\System|CurrentControlSet\Services\LanManServer\Parameters\NullSessionPipes"
> >so that the everyone group cannot read this key.
> >
> >Also, set the key RestrictNullSessAccess to "1". This is the default.
> >
> >Reboot, then prepare for calls. I can tell you that some things will
>break
> >for sure. If you have downlevel domain controllers, this will prevent
>them
> >from communicating with your 2000 DCs. In addition, several programs use
> >the Null bind to enumerate resources on your network. Some Xerox
>software
> >we use has this problem. Xerox does not appear interested in fixing
>this.
> >
> >Now, to actually answer your question, anonymous connections to your DCs
>or
> >servers are connections that are made for the purposes of enumerating
> >resources. The three most common are inter-domain trusts with NT 4.0
> >domains, intra-domain communication with NT 4.0 BDCs and (strangely)
> >printing services from non-domain or Windows 95/98 machines. Basically
> >these services count on being able to see the resources available on
>these
> >servers without logging on. Your event log is showing that someone has
>done
> >this. Anonymous binds to my downlevel BDC is the single most used
>exploit
> >to get information about my user accounts, groups and shares.
> >
> >I believe that the NIMDA virus also used the null session to enumerate
> >attackable shares.
>
>Does all of the above also apply to win2k pro?
>
> >>From: "Sorin Srbu" <sorin@xxxxxxxxxxxxx>
> >>Reply-To: windows2000@xxxxxxxxxxxxx
> >>To: "windows2000@xxxxxxxxxxxxx" <windows2000@xxxxxxxxxxxxx>
> >>Subject: [windows2000] Re: Anon logon
> >>Date: Wed, 07 Aug 2002 10:04:03 +0200
> >>
> >>
> >>On Tue, 06 Aug 2002 15:35:40 +0000, bbeckett2000@xxxxxxxxx wrote:
> >>
> >> >What is the NT Authority\Anonymous logon used for?
> >> >I have sporadic entries in my logs
> >>
> >>I'd like to know too. Eventid.net wasn't helping...
>
>
>BW,
>
> Sorin
>
># Sorin Srbu, Systems Engineer Email: sorin.srbu@xxxxxxxxxxxxx
># Department of Medical Chemistry, Web: http://www.farmaci.uu.se
># Division of Organic Pharmaceutical Chemistry, Phone: +46-18-471-4482
>>> 5
>signals >> GSM
># BMC, Box 574, Uppsala University Cell Phone: +46-701-718023
># SE-751 23 Uppsala, Sweden Fax: +46-18-471-4474
># Visit: BMC, Husargatan 3, D5:512b
>#
># Public PGP key available on request.
>
>
>
>
>This Weeks Sponsor
>==================================
>CPU seNTinel by OneApp
>Definitive Control over Individual Applications CPU utilization
>http://www.oneapp.co.uk/site/sentinel
>
>==================================
>To Unsubscribe, set digest or vacation
>mode or view archives use the below link.
>
>http://thethin.net/win2000list.cfm
_________________________________________________________________
MSN Photos is the easiest way to share and print your photos:
http://photos.msn.com/support/worldwide.aspx
This Weeks Sponsor
==================================
CPU seNTinel by OneApp
Definitive Control over Individual Applications CPU utilization
http://www.oneapp.co.uk/site/sentinel
==================================
To Unsubscribe, set digest or vacation
mode or view archives use the below link.
http://thethin.net/win2000list.cfm
Other related posts:
