By Mike Mullins
Whether they’re viewing a Web page without
entering a password or connecting to a Windows share through a null
session, anonymous users are not required to enter a login
credential for a network resource.
However, upgrading to Windows 2000 or XP
doesn’t remove this null session vulnerability that’s inherent with
Windows NT. You must judge for yourself whether this vulnerability
is acceptable or unnecessary.
For example, you might want users to
anonymously log on and log off for certain machines. This is
certainly true of all public Web and FTP servers. But for the rest
of your network, allowing anonymous login is a security risk that
you need to lock down.
Are you vulnerable?
The first step is to figure out whether your
organization is vulnerable and determine if anyone is exploiting
this vulnerability.
If you’re running a Web server, you should see
numerous NT Authority/Anonymous Event ID 538 (Logoff) and 540
(Logon) entries in the security log of your event viewer. These
entries are normal; your Web user account is proxying a request
from a user to view Web pages.
However, you should not see NT
Authority/Anonymous event ID 528 (Logon) Type 3 on your file
servers and workstations. These events indicate that an anonymous
user has successfully viewed or connected to a network share.
Closing this vulnerability is easy. You can
secure your network either through Group Policy or via the local
security policy on the machine.
Stop anonymous logons
In Windows 2000 Server and Windows Server 2003,
you can disable anonymous logons using Active Directory and Group
Policy. Follow these steps:
- In Group Policy, expand Computer
Configuration, expand Windows Settings, expand Security Settings,
and expand Local Policies. - Select Security Options.
- Double-click Additional Restrictions For
Anonymous Connections. - Change the setting to Do Not Allow
Enumeration Of SAM Accounts And Shares.
Or, you can make the change locally on a
machine without using Group Policy. Follow these steps:
- Go to Start
| Run. - Enter
secpol.msc in the Open text box, and click OK. This opens
the Local Security Settings applet. - Expand Local Policies, and select Security
Options. - In Windows 2000, double-click Additional
Restrictions For Anonymous Connections, and change the setting to
Do Not Allow Enumeration Of SAM Accounts And Shares. - In Windows XP, double-click Network Access: Do Not Allow
Anonymous Enumeration Of SAM Accounts And Shares, select Enabled,
and click OK.
You’ve now protected your workstations and
servers against anonymous user logons.
Final thoughts
Keep in mind that there are several situations
in which you can’t close this vulnerability, or network services to
your users and connections between servers will fail.
One of these situations is if you’re still
running your domain in mixed mode. From a security perspective,
this is just one more reason to get rid of your NT 4 machines and
go native with Windows 2000/XP/2003.
For more in-depth information on this
vulnerability and restrictions for when you can and can’t implement
this security fix, check out
Microsoft Knowledge Base article 823659.
Mike Mullins has served as a database administrator and assistant network administrator for the U.S. Secret Service. He is a Network Security Administrator for the Defense Information Systems Agency.