MORE INFORMATION
Enumeration in the Windows 2000 and Windows NT environments
In Windows 2000 and Windows NT environments, enumeration is an information-gathering technique that can be used by malicious users. Enumeration involves establishing an active connection to a computer and then directing queries to that computer. Because enumeration involves establishing an active connection, users should log the connection through auditing. Malicious users try to gather computer-specific information through an anonymous connection that can be used in an attack.
To prevent enumeration attacks on their internal networks, most organizations use external firewalls to block the ports and the services that are used for Windows 2000 and Windows NT enumeration attacks. This prevents malicious users on external networks from conducting enumeration attacks. Therefore, the following conditions are true for most enumeration attacks:
- They are performed within an organization's local area network (LAN) environment.
- An attacker requires access to an organization's internal network.
Null sessions and enumeration
By default, Windows 2000 and Windows NT rely on Common Internet File System (CIFS) and Server Message Blocks (SMBs). SMBs include APIs that return information about a computer through ports 139 and 445. This information is provided even to an unauthenticated user. A null session is an unauthenticated connection to a Windows 2000 or a Windows NT-based computer. A null session can then be used to access the SMB APIs remotely. Null sessions are also referred to as null session connections, anonymous logon, and anonymous connections. In Windows 2000 and Windows NT environments, null sessions are used to gather information about the following:
- Network information
- Shares
- Users and groups
- Registry keys
Windows networks that use multiple domains may require that anonymous user logons list account information. The following example shows how anonymous connections are used. Consider two Windows NT domains: an account domain and a resource domain. The resource domain has a one-way trust relationship with the account domain. The resource domain trusts the account domain, but the account domain does not trust the resource domain. Users from the account domain can authenticate and access resources in the resource domain based on the one-way trust. If an administrator in the resource domain wants to grant file access to a user from the account domain, the administrator has to obtain the list of users and of groups from the account domain. The administrator then selects a user or a group to grant access permissions to. Because the account domain does not trust the resource domain, the administrator request to obtain the list of users and of groups from the resource domain cannot be authenticated. Therefore, a null session is used to make the connection that, in turn, is used to obtain the list of account domain users.
Using the RestrictAnonymous registry value to control null sessions
Warning Serious problems might occur if you
modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall your operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.
The most common way to control null sessions in Windows 2000 and Windows NT environments is to use the RestrictAnonymous registry value. The RestrictAnonymous registry value lets you prevent enumeration of sensitive information over null sessions. The RestrictAnonymous registry value was introduced in Microsoft Windows NT 4.0 Service Pack 3 (SP3) and is now included with Windows 2000. The RestrictAnonymous registry value is added to the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
The RestrictAnonymous registry value lets you configure local computer policy to determine whether authentication is required to perform common enumeration functions. There are different RestrictAnonymous registry values for Windows NT 4.0 and Windows 2000.
In a Windows 2000 environment, you can set the RestrictAnonymous registry value to 0, 1, or 2. When you set this registry value to 0, anonymous connections can list account names and enumerate share names. When you set this registry value to 1, anonymous enumeration of SAM accounts and share names is not permitted.
Note Even with the RestrictAnonymous registry value set to 1, there are Win32 programming interfaces that do not restrict anonymous connections. Therefore, tools that use these interfaces can still enumerate information over a null session even when the RestrictAnonymous registry value is set to 1.
Finally, when this registry value is set to 2, no access is granted without explicit anonymous permissions. Therefore, no null sessions are possible, not even through Win32 programming interfaces. Generally, we do not recommend that you set the RestrictAnonymous registry value to 2 in mixed-mode environments that include down-level client computers such as Windows NT 4.0, Microsoft Windows 95, and Microsoft Windows 98.
In a Windows NT 4.0 environment, you can set the RestrictAnonymous registry value to 0, 1, or not defined. When you set this value to 0, or when this value is not defined, anonymous connections can list account names and enumerate share names. When you set this value to 1, anonymous connections from the graphical user interface (GUI) tools for security management receive an "access denied" error message when they try to obtain the list of account names.
Note Even when the RestrictAnonymous registry value set to 1, there are Win32 programming interfaces that do not restrict anonymous connections. Therefore, tools that use these interfaces can still enumerate information over a null session even when this registry value is set to 1.
The following features were introduced together with the RestrictAnonymous registry value:
- Authenticated Users group
- Restricting anonymous list of share names
- Restricting anonymous remote registry access
Authenticated Users group
The Authenticated Users group is similar to the Everyone group, except for one important difference: Anonymous logon users or null session connections are never members of the Authenticated Users group. An authenticated network connection from any account in the server's domain, or from any domain that is trusted by the server's domain, is identified as an authenticated user. The Authenticated Users group can grant access permissions to resources. The Authenticated Users group feature does not modify any existing access control lists (ACLs). This prevents any change in access permissions that were granted to the Everyone group to use the Authenticated Users group.
Restricting anonymous list of share names
The server service that provides remote file access to share resources also uses the RestrictAnonymous registry value to control whether anonymous connections can obtain a list of share names. Therefore, you can set the value of a single registry configuration entry to define how the computer responds to enumeration requests by anonymous logons.
Restricting anonymous remote registry access
The RestrictAnonymous registry value also lets you restrict anonymous remote registry access. This feature prevents anonymous users from connecting to the registry remotely. It also prevents anonymous users from reading or from writing any registry data. Remote access to the registry is controlled through the ACL on the winreg registry key. The ACL on the winreg registry key identifies the authenticated users who can remotely connect to the registry.
The effect of removing null sessions from the Windows 2000 and Windows NT environments
By enabling the RestrictAnonymous registry value in Windows 2000 and in Windows NT, you can remove null sessions from your Windows 2000 and Windows NT environments. However, this affects Windows 2000 and Windows NT functionality and applications.
When you set the RestrictAnonymous registry value to 2 in a Windows 2000 environment, the access token that is built for non-authenticated users does not include the Everyone group. Therefore, this access token no longer has access to those resources that grant permissions to the Everyone group. When you set this value to 2 on a Windows 2000-based domain controller, you may experience the following symptoms:
- Down-level member workstations or servers cannot set up a netlogon security channel.
- Down-level domain controllers in trusting domains cannot set up a netlogon security channel.
- Windows NT users cannot change their passwords after their passwords expire. Also, Macintosh users cannot change their passwords at all.
- The browser service cannot retrieve domain lists or server lists from backup browsers, from master browsers, or from domain master browsers that are running on computers where the RestrictAnonymous registry value is set to 2. Therefore, any program that relies on the browser service does not function correctly.
In summary, we recommend that you set the RestrictAnonymous registry value to 0 in mixed-mode environments that include down-level client computers. Consider setting the RestrictAnonymous registry value to 2 only in Windows 2000 environments. However, consider doing this only after sufficient quality assurance tests have verified that appropriate service levels and program functionality are maintained.
REFERENCES
For more information about setting Restrict Anonymous to 0, click the following article numbers to view the articles in the Microsoft Knowledge Base:
823659
Client, service, and program incompatibilities that may occur when you modify security settings and user rights assignments
For more information about the effect of removing null sessions on domains and on trusts, click the following article numbers to view the articles in the Microsoft Knowledge Base:
178640
Could not find domain controller when establishing a trust
296405 The "RestrictAnonymous" registry value may break the trust to a Windows 2000 domain
135060 Access denied attempting to change client domain password
293127 The Net Logon service of a Windows NT 4.0 BDC does not function in a Windows 2000 domain
129457 RestrictAnonymous access enabled lets anonymous connections obtain the password policy
198941 Users cannot change password when logging on
196289 SP3 clients cannot change passwords - error C00000BE
192126 Add workstation fails with RestrictAnonymous
For more information about the effect of removing null sessions in SMS, click the following article numbers to view the articles in the Microsoft Knowledge Base:
311257
Resources are not discovered if anonymous connections are turned off
312512 Network discovery cannot connect anonymously to client after remote client installation
For more information about the effect of removing null sessions in Exchange Server, click the following article numbers to view the articles in the Microsoft Knowledge Base:
319879
MAPI clients cannot view the Global Address List and resolve names
309622 Clients cannot browse the Global Address List after you apply the Q299687 Windows 2000 security hotfix
272726 Administrators are able to browse user list of untrusted domains
260870 Restrict Anonymous prevents discovery of Windows NT 4.0 domain
For more information about restricting information available to anonymous logon users, click the following article numbers to view the articles in the Microsoft Knowledge Base:
143474
Restricting information available to anonymous logon users
246261 How to use the RestrictAnonymous registry value in Windows 2000
Also see
Hacking Exposed Windows 2000: Network Security Secrets and Solutions by Stuart McClure and Joel Scambray.
The third-party products that this article discusses are manufactured by companies that are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, regarding the performance or reliability of these products.