Recently there have been several incidents on campus involving someone enumerating Windows NT and Windows 2000 user lists, determining which users have administrative privileges, and attempting to guess these users' passwords. If account lockout is turned on, the server will lock out the attacked user accounts, resulting in a denial of service. If account lockout is off, and given enough time, the attacker is likely to gain access to the server. One variant of the attack is to try and guess passwords for all of the users on the server. Another variant includes attempting to guess the internal user passwords, including the IUSR_computername account that is used by IIS. If account lockout is turned on, this may result in the web server being unable to access the html files. To stop outsiders from downloading the entire user list from NT or 2000 servers null sessions must be turned off. Null sessions allow anonymous connections to download the user list, NetBIOS shares, and policy information like when users can log in and what rights they have. My understanding is that they are not used very often, and may be disabled in most cases. Null sessions are used in one-way trust relationships between domains (see the Microsoft Knowledge Base article Q143474 for more information). They are also used by certain third party software packages like ARCserve 6.0, and some very old printing configurations (see Microsoft KB article Q121853). To disable Null NetBIOS sessions on Windows NT 4.0. 1. The system must be at least on Service Pack 3. 2. Run Registry Editor (Regedt32.exe). 3. Go to the following key in the registry: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA 4. On the Edit menu, click Add Value and use the following entry: Value Name: RestrictAnonymous Data Type: REG_DWORD Value: 1 5. Exit the Registry Editor and restart the computer for the change to take effect. To disable Null NetBIOS sessions on Windows 2000: 1. From the Start menu, select Programs --> Administrative Tools --> Local Security Policy. 2. Under Security Settings, double-click Local Policies, and then click Security Options. 3. Double-click Additional restrictions for anonymous connections. 4. Under Local policy setting, click No access without explicit anonymous permissions. Several people have tried this on their workstations, and did not notice any problems. I don't know of anyone at MSU who has applied this to a server yet. Each server administrator will have to weigh the risk of their user database being attacked with the risk of possibly breaking certain functionality. Under NT null access may be restored by setting the value of RestrictAnonymous to 0. Under 2000, simply set the additional restrictions for anonymous connections local policy back to the default setting. Please review the knowledge base articles, and research null sessions before making this change. It seems to work, but I really don't know what the side effects may be. I would like to post this procedure to the security web page and the msusec mailing list in the near future. Any suggestions, comments, or results would be greatly appreciated. -- Joe Budzyn [log in to unmask] 301 Computer Center Ph: (517) 355-4500 x162 Michigan State University East Lansing, MI 48824