To the best of my knowledge, unless you are running win2k 100% native, you have to allow null sessions. Null sessions are used to enumerate shares & accounts, & are required to some extent in NT domains. There is a registry key that can be set (I can't remember exactly, but a search at MS or deja news/google under microsoft.public.* should get you going) to 0 (default), 1, or 2. 2 being no null sessions allowed. However, setting this key to 2 will absolutely break some things unless you are 100% Active Directory in native mode. I've looked at this a little. Setting it to 1 will stop some automated tools from getting a null connection, but not all of them (I think nessus will still alert on a 1). To minimize this issue:
1. don't allow netbios or rpc through your fw 2. lockout accounts after n incorrect bad logins (use passprop to enable admin acct lockouts) 3. set appropriate permissions on shares/file system 4. set appropriate permissions on the registry (win2k is pretty good w/ this, but NT4 is not) The 1219 error probably indicates you were trying a server that you already had a drive mapped to under your login acct. It's not a false positive. Null sessions are allowed. However, it's going to turn up for every win PC, so you may not want to include it in a final report (or just mention it as a footnote) unless your environment requires that nth degree of security regardless of cost. HTH > -----Original Message----- > From: Jared Breland [mailto:[EMAIL PROTECTED]] > Sent: Thursday, July 25, 2002 12:12 PM > To: [EMAIL PROTECTED] > Subject: Re: netbios question > > > > hmm... > > C:\> net use \\<ip>\ipc$ /user:"" "" > The command completed successfully. > > C:\> net view \\<ip> > There are no entries in the list. > > I also tried doing a remote registry connect, but basically got a > permission denied. I tried net use on a couple other > computers that turned > up in the results, but they gave me "System error 1219 has > occurred. The > credentials supplied conflict with an existing set of > credentials." Am I > doing something wrong, or is this just a false positive? > > -- > Jared Breland > Information Security Intern > [EMAIL PROTECTED] > 901-748-5632 > > > > > > "John Lampe" > > <j_lampe@bells To: > <[EMAIL PROTECTED]>, "Jared Breland" > outh.net> > <[EMAIL PROTECTED]> > > cc: > > 07/25/2002 Subject: Re: > netbios question > 05:31 AM > > > > > > > > > > really only of interest if ipc$ is shared (default share). > If so, then: > > net use \\ip\ipc$ /user:"" "" from a dos prompt... > if that works then you can try > net view \\ip > regedt32 (and connect to remote IP) > dom2sid sid2dom > etc. > > John Lampe > https://f00dikator.hn.org/ > > "Knowledge will forever govern ignorance, and a people who > mean to be their > own governors, must arm themselves with the power knowledge gives. A > popular > government without popular information or the means of > acquiring it, is but > a prologue to a farce or a tragedy or perhaps both." > --James Madison > > ----- Original Message ----- > From: "Jared Breland" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Thursday, July 25, 2002 4:30 PM > Subject: netbios question > > > I get at least one of the following for just about any > Windows host I scan, > but what exactly does it mean? Does it mean I can actually > login to the > box and view it's contents? How? I've tried every way I can > think of, but > I haven't been able to figure it out. Oh, and no, I'm not > trying to view > other people's data, just trying to understand the process of > how it works > so I'll know how to protect against it. I'm sure that's > assumed for the > people on this list, but just so there's no confusion... :-). > > -------------------------------------------------------------- > -------------- > > ------ > . It was possible to log into the remote host using the following > login/password combinations : > 'guest'/'' > > . It was possible to log into the remote host using a NULL session. > The concept of a NULL session is to provide a null username and > a null password, which grants the user the 'guest' access > > To prevent null sessions, see MS KB Article Q143474 (NT 4.0) and > Q246261 (Windows 2000). > Note that this won't completely disable null sessions, but will > prevent them from connecting to IPC$ > > . All the smb tests will be done as 'guest'/'' in domain > > -------------------------------------------------------------- > -------------- > > -------- > > . It was possible to log into the remote host using a NULL session. > The concept of a NULL session is to provide a null username and > a null password, which grants the user the 'guest' access > > To prevent null sessions, see MS KB Article Q143474 (NT 4.0) and > Q246261 (Windows 2000). > Note that this won't completely disable null sessions, but will > prevent them from connecting to IPC$ > > . All the smb tests will be done as ''/'' in domain > > -- > Jared > > - > [EMAIL PROTECTED]: general discussions about Nessus. > * To unsubscribe, send a mail to [EMAIL PROTECTED] with > "unsubscribe nessus" in the body. > * To subscribe again, send a mail to [EMAIL PROTECTED] with > "subscribe nessus" in the body > > > > > - > [EMAIL PROTECTED]: general discussions about Nessus. > * To unsubscribe, send a mail to [EMAIL PROTECTED] with > "unsubscribe nessus" in the body. > * To subscribe again, send a mail to [EMAIL PROTECTED] with > "subscribe nessus" in the body > - [EMAIL PROTECTED]: general discussions about Nessus. * To unsubscribe, send a mail to [EMAIL PROTECTED] with "unsubscribe nessus" in the body. * To subscribe again, send a mail to [EMAIL PROTECTED] with "subscribe nessus" in the body
