There is the well known method of securing a Windows system from null session access http://www.sans.org/reading_room/whitepapers/windows/286.php, but there are additional steps that can be taken.
As part of a security mandate at work, we've been advised to delete the following values from the registry to further secure systems from anonymous access.
HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters\NullSessionPipes
HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters\NullSessionShares
HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters\RestrictNullSessAccess
It can't be done via GPO, which is a shame, but can be done by a script. Easiest way is to do the following.
reg delete HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters /v NullSessionShares /f
reg delete HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters /v NullSessionPipes /f
reg delete HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters /v RestrictNullSessAccess /f
If you use Trend Server Protect, you can't delete the values TMRPC\AgentRPC or TMRPC\SPNTSVC from the NullSessionPipes or it won't work. I'm sure some nice VBScript could do the trick to get arounf this, but I don't need anything sophisticated.
I've done the registry mods on my system, and everything works OK, so happy days.
No comments:
Post a Comment