Spat's WebLog (Steve Patrick)

When things go wrong...

FYI - Changes to null session pipes post 2k3 SP1

FYI - Changes to null session pipes post 2k3 SP1

  • Comments 8

Pre Win2k3 SP1 we actually had a hardcoded list of null session pipes + the registry key  to come up with the complete list of allowed NULL session pipes.
 
 
PRE SP1 hard coded list:
===========
    L"netlogon",
    L"lsarpc",
    L"samr",
    L"browser",
    L"srvsvc",
    L"wkssvc",
 
 
 
 
POST SP1
==========
None
 

Net  result?
 
If you messed with HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters
NullSessionPipes value ( removed things like .. lsarpc, netlogon  etc.. ) You will fail NULL session authentications where you used to succeed, even with nothing defined in the registry.
 
 
 
CHANGES:
=========
We remove items like trkwks, trksvr, epmapper, and locator.
We add browser
We then write the value: AdjustedNullSessionPipes == 1  under
CurrentControlSet\Services\lanmanserver\parameters
We remove the hardcoded list seen above
 
 
What does it effect?
 
Scenario:
   DFS server goes to access a DC to get site info - it calls DsAddressToSiteNames() (
connect to netlogon )   to determine site info.
 
 
DFS Service runs as Local System
If the Kerberos authentication fails for some reason and we fall back to NTLM and it will authenticate as NULL
 
This call then fails since the DC will not authenticate the null connection to the
named pipe \pipe\netlgon.
 
 
Net Trace shows:
==================
 
DFS Server sends authn data:
        SMB Command: Session Setup AndX (0x73)
        Security Blob:
               Domain name: NULL
               User name: NULL
               Host name: NNSFLS001
 
DC responds:
        SMB Command: Session Setup AndX (0x73)
        NT Status: STATUS_SUCCESS (0x00000000)
 
DFS Server tries to access \pipe\netlogon
        SMB      NT Create AndX Request, Path: \NETLOGON
 
DC Responds:
        SMB Command: NT Create AndX (0xa2)
        NT Status: STATUS_ACCESS_DENIED (0xc0000022)
 
 
 

Leave a Comment
  • Please add 3 and 5 and type the answer here:
  • Post
  • Great post Steve, I hadn't a clue about that change.

      joe
  • PingBack from http://blog.joeware.net/2006/05/16/372/
  • thx Joe!
  • Hi All,

    The above article is great and I would like to add soem more to what is given above.

    +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

    Question was what is the impact of setting the value to null for the setting Names Pipes that can be accessed anonymously.

    ==============================================

    The Effect would be as simple as that this would disable null session access over named pipes, and applications that rely on this feature or on unauthenticated access to named pipes will no longer function. For example, with Microsoft Commercial Internet System 1.0, the Internet Mail Service runs under the Inetinfo process. Inetinfo starts in the context of the System account. When Internet Mail Service needs to query the Microsoft SQL Server database, it uses the System account, which uses null credentials to access a SQL pipe on the computer that runs SQL Server.

    Extract from the TechNet:

    =========================

    Network access: Named Pipes that can be accessed anonymously

    This policy setting determines which communication sessions, or pipes, will have attributes and permissions that allow anonymous access.

    The possible values for the Network access: Named Pipes that can be accessed anonymously setting are:

    . A user-defined list of shares

    . Not Defined

    For this policy setting to take effect, you must also enable the Network access: Restrict anonymous access to named pipes and shares setting.

    Vulnerability

    You can restrict access over named pipes such as COMNAP and LOCATOR to help prevent unauthorized access to the network. The default list of named pipes and their purpose is provided in the following table.

    Table 5.1: Default Named Pipes That Are Accessible Anonymously

    Named pipe Purpose:

    COMNAP

    SNABase named pipe. Systems Network Architecture (SNA) is a collection of network protocols that were originally developed for IBM mainframe computers.

    COMNODE

    SNA Server named pipe.

    SQL\QUERY

    Default named pipe for SQL Server.

    SPOOLSS

    Named pipe for the Print Spooler service.

    EPMAPPER

    End Point Mapper named pipe.

    LOCATOR

    Remote Procedure Call Locator service named pipe.

    TrkWks

    Distributed Link Tracking Client named pipe.

    TrkSvr

    Distributed Link Tracking Server named pipe.

    Countermeasure

    Configure the Network access: Named Pipes that can be accessed anonymously setting to a null value (enable the setting but do not enter named pipes in the text box).

    Potential Impact

    This configuration will disable null session access over named pipes, and applications that rely on this feature or on unauthenticated access to named pipes will no longer function. For example, with Microsoft Commercial Internet System 1.0, the Internet Mail Service runs under the Inetinfo process. Inetinfo starts in the context of the System account. When Internet Mail Service needs to query the Microsoft SQL Server database, it uses the System account, which uses null credentials to access a SQL pipe on the computer that runs SQL Server.

    To avoid this problem, refer to the Microsoft Knowledge Base article "How to access network files from IIS applications," which is located at http://support.microsoft.com/default.aspx?scid=207671

    For More info:

    ==============

    http://www.microsoft.com/technet/security/topics/serversecurity/tcg/tcgch05n.mspx.

    =====================================================================================

    +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

    Some of the know issues we face when we set NullSessionPipes key to null.

    # TS won't be able to obtain a license. Error received is: 'error in the licensing protocol'

    # We are unable to start TSLS Service.

    # We will face Licensing replication issue.

    # we get an error like "You do not have permission to change the password" for our domain login.

    # We also can't change the local workstation password.

    # We receive errors while installing SQL.

    # Any application that depends on anonymous access will break. This will happen with any legacy application that we are using.

    # Anytime the server falls back to NTLM for authentication it won't be able to communicate.

    # The SMB signing breaks.

    ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

  • the default is supposed to be set at none so why would anyone want someone anonymously accessing their network anyhow?

  • To answer your question -see the notes in http://support.microsoft.com/kb/q289655/

  • Can you use wildcards in specifying NULL pipes?  The reason is that I have an application that creates dynamic WMI pipes and I have a security requirement to restrict anonymous named pipes so it must be defined in the local security policy.  Thanks in advance for any feedback.

  • please provide me the registry key to set the following

    Network access: Named Pipes that can be accessed : anonymously:none

Page 1 of 1 (8 items)