I ran into an interesting issue
recently where I was able to enumerate all domain users on a client's DC
because NULL Sessions were enabled. The client thought they had disabled NULL Sessions, but its seems they had one small misconfiguration. I ran the tool rid_enum and got results
similar to the screenshot below on one of the DCs.
RID enum failed against the other DC and member servers, so I started looking
for settings that were different between the two DCs. I checked all the registry
keys below and they all looked the same.
HKLM\System\CurrentControlSet\Control\Lsa\RestrictAnonymous = 1
HKLM\System\CurrentControlSet\Control\Lsa\RestrictAnonymousSAM = 1
HKLM\System\CurrentControlSet\Control\Lsa\EveryoneIncludesAnonymous = 0
HKLM\System\CurrentControlSet\Services\LanManServer\Parameters\RestrictNullSessAccess = 1
HKLM\System\CurrentControlSet\Services\LanManServer\Parameters\AdjustedNullSessionPipes = 3
I also checked the
following policies under Local Policies -> Security Options in the Local
Security Policy:
Network Access: Allow Anonymous SID/name translation - Disabled
Network Access: Do not allow anonymous enumeration of SAM accounts - Enabled
Network Access: Do not allow anonymous enumeration of SAM accounts & shares - Enabled
Network Access: Restrict Anonymous access to Named Shares and Pipes - Enabled
The culprit looked to be
the following registry key and local policy:
HKLM\System\CurrentControlSet\Services\LanManServer\Parameters\NullSessionPipes
Network
Access: Named Pipes that can be accessed anonymously
The vulnerable DC had
netlogon, samr, and lsarpc (which is the default I believe) listed in the policy/registry.
The unaffected DC had only netlogon and lsarpc. In my testing it looked like if
both lsarpc and samr were listed in the policy/registry I could enumerate
users. Adding the entries by themselves didn’t seem to work, but if they were
both listed, the enumeration was successful. After some additional research I
realized that NULL sessions were actually still accessible on both DCs. I
couldn’t glean much usable information using rpcclient with no credentials, but
I could nonetheless still connect and issue commands.
I removed all of the
entries from “Network Access: Named Pipes that can be accessed anonymously” on
both servers and retried to connect again. This time I got a “NT_STATUS_ACCESS_DENIED”
message. I realize this may cause some applications to break, so will make sure the client monitors things
closely. However, so far they haven’t seen any adverse effects.
Interestingly, while
researching this I spun up a fresh VM of W2K8 R2 and made it a domain controller.
With all the applicable Local Security Policies and registry settings the same,
I wasn’t able to enumerate users on the test VM. It didn’t seem to matter which
“Named Pipes” were in the policy/registry.
Here are some additional
resources regarding NULL Sessions:
1 comment:
thank you! this was exactly my issue 7 years later?
Post a Comment