Disable Null Sessions

We had an audit and were told to disable null sessions on all of our
servers. I found that we could use group policy to accomplish this. I have
enabled the following settings on a test OU and moved a server to that OU.

Network access: Do not allow anonymous enumeration of SAM accounts
Enabled
Network access: Do not allow anonymous enumeration of SAM accounts and
shares Enabled

I was wondering the easiest way to verify that the null sessions have been
disabled? I downloaded a few applications that stated they would check this.
When I try to test I get the same results on my existing servers as I do on
the server that I put in the test OU with the GPO.


Thanks,
James

I noticed that when I scan the windows 2000 server that I have I can get
back the list of local users and groups. When I scan my windows 2003 member
servers I dont get anything back. When I scan my 2003 domain controllers I
get back a list of users and groups. What is the best way to apply settings
to the server to disable the ability to retrieve this information?




"James" <> wrote in message
news:...
> We had an audit and were told to disable null sessions on all of our
> servers. I found that we could use group policy to accomplish this. I have
> enabled the following settings on a test OU and moved a server to that OU.
>
> Network access: Do not allow anonymous enumeration of SAM accounts Enabled
> Network access: Do not allow anonymous enumeration of SAM accounts and
> shares Enabled
>
> I was wondering the easiest way to verify that the null sessions have been
> disabled? I downloaded a few applications that stated they would check
> this. When I try to test I get the same results on my existing servers as
> I do on the server that I put in the test OU with the GPO.
>
>
> Thanks,
> James
>

What tools are you using. Many report false positive in that you can
connect to the IPC$ but are unable to enumerate any further information like
user accounts and domain machines.

So basically if you're tools state you have null sessions enabled but does
not retrieve account information then you're fixed.

Try Nessus tool as an example.

Rgds


On 12/01/2010 21:08, in article ,
"James" <> wrote:

> We had an audit and were told to disable null sessions on all of our
> servers. I found that we could use group policy to accomplish this. I have
> enabled the following settings on a test OU and moved a server to that OU.
>
> Network access: Do not allow anonymous enumeration of SAM accounts
> Enabled
> Network access: Do not allow anonymous enumeration of SAM accounts and
> shares Enabled
>
> I was wondering the easiest way to verify that the null sessions have been
> disabled? I downloaded a few applications that stated they would check this.
> When I try to test I get the same results on my existing servers as I do on
> the server that I put in the test OU with the GPO.
>
>
> Thanks,
> James
>
>

In message <C77D0F07.162B%> JASON ARCHER
<> was claimed to have wrote:

>What tools are you using. Many report false positive in that you can
>connect to the IPC$ but are unable to enumerate any further information like
>user accounts and domain machines.
>
>So basically if you're tools state you have null sessions enabled but does
>not retrieve account information then you're fixed.
>
>Try Nessus tool as an example.

Are you suggesting Nessus tool as an example to retrieve information? Or
as an example of a tool that does it wrong?

Little bit of both really, you can use the tool to identify if you have
'NULL' sessions that are insecure. If it returns users and machine info
then you have a problem, if it just returns the fact the NULL sessions are
enabled you're ok - I've never understood why they've never fixed it.


On 20/01/2010 20:44, in article ,
"Dave Warren" <dave-> wrote:

> In message <C77D0F07.162B%> JASON ARCHER
> <> was claimed to have wrote:
>
>> What tools are you using. Many report false positive in that you can
>> connect to the IPC$ but are unable to enumerate any further information like
>> user accounts and domain machines.
>>
>> So basically if you're tools state you have null sessions enabled but does
>> not retrieve account information then you're fixed.
>>
>> Try Nessus tool as an example.
>
> Are you suggesting Nessus tool as an example to retrieve information? Or
> as an example of a tool that does it wrong?

When scannin gmy singl ewindows 2000 member server I can get back a list of
usernames. When I scan my windows 2003 domain controllers i c an get back a
list of usernames. My 2003 member server do not give a list of usernames. I
am not sure how to prevent the 2000 server and the 2003 domain controllers
from providing the usernames. Any help would be great.

Thanks



"JASON ARCHER" <> wrote in message
news:C77E6312.1646%...
> Little bit of both really, you can use the tool to identify if you have
> 'NULL' sessions that are insecure. If it returns users and machine info
> then you have a problem, if it just returns the fact the NULL sessions are
> enabled you're ok - I've never understood why they've never fixed it.
>
>
> On 20/01/2010 20:44, in article
> ,
> "Dave Warren" <dave-> wrote:
>
>> In message <C77D0F07.162B%> JASON ARCHER
>> <> was claimed to have wrote:
>>
>>> What tools are you using. Many report false positive in that you can
>>> connect to the IPC$ but are unable to enumerate any further information
>>> like
>>> user accounts and domain machines.
>>>
>>> So basically if you're tools state you have null sessions enabled but
>>> does
>>> not retrieve account information then you're fixed.
>>>
>>> Try Nessus tool as an example.
>>
>> Are you suggesting Nessus tool as an example to retrieve information? Or
>> as an example of a tool that does it wrong?
>