We found reference to this in a few different places as well. We don't know if any other services are using null sessions so we don't know if we can disable it. We say something that mentioned it being used for server->server communication.
~Katie -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joshua Levitsky Sent: Friday, June 13, 2003 6:12 PM To: [EMAIL PROTECTED] Subject: Re: [IMail Forum] OT; user accounts getting locked out en masse; process is ksecdd > From: "Katie La Salle-Lowery" <[EMAIL PROTECTED]> > Reply-To: [EMAIL PROTECTED] > Date: Fri, 13 Jun 2003 17:33:03 -0600 > To: <[EMAIL PROTECTED]> > Subject: [IMail Forum] OT; user accounts getting locked out en masse; > process is ksecdd > > Just cuz you're such an broadly experienced group I'm going to pose my > problem of the day: > > My User Accounts (Windows network) are getting locked out en masse. > Event viewer shows failed login attempts using process ksecdd. > > I'm Googling my little heart out but if anyone in this knowledgable > group has any insight, I'd be in their debt. http://archives.neohapsis.com/archives/firewalls/2001-q1/0248.html http://www.tek-tips.com/gpviewthread.cfm/qid/418282/pid/55/lev2/3/lev3/1 9 Some people think that it is a NULL session attack. If you scan your box with Nessus you'll know if your box accepts NULL sessions. (By default all windows NT / 2k boxes do.) Some people say that if you disable NULL sessions it will stop. Depending on the services your systems are required to provide, it may be possible for you to restrict or disable anonymous null sessions on your Windows 2000 hosts. This can be done through the HKLM\SYSTEM\CurrentControlSet\Control\LSA key with the following parameters: Value: RestrictAnonymous Value Type: REG_DWORD Value Data: 0x1 or 0x2 (Hex) According to Microsoft Knowledge Base Article Q246261 , this key can take on the following values: 0x0 = None. Rely on default permissions 0x1 = Do not allow enumeration of SAM accounts and names 0x2 = No access without explicit anonymous permissions Windows XP sets the RestrictAnonymousSam key to 0x1 by default. -Josh To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/ To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/
