5

During an audit the question of anonymous access to the IPC$(null sessions) share was raised. The audit lists the following as being a risk on a Windows 2008r2 file server:

C:\>net use \\fileserver\ipc$ "" /user:"" The command completed successfully.

I've confirmed that the following settings are configured

Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\ Network access: Allow anonymous SID/Name translation = disabled Network access: Do not allow anonymous enumeration of SAM accounts =enabled Network access: Do not allow anonymous enumeration of SAM accounts and shares =enabled Network access: Let Everyone permissions apply to anonymous users=disabled Network access: Named Pipes that can be accessed anonymously= <blank> Network access: Shares that can be accessed anonymously= <blank>

and that anonymous enumeration(shares, users, etc..) does not work, but I've been told that if the above command completes successfully then the risk remains and we need to correct it. I'm at a loss as to what other settings would fix this and do not want to script the deletion of the share. Are there any other settings that need to be set? Should these setting cause the anonymous connection to fail? Is there anything else I might have missed?

5y5tem5
  • 51
  • 1
  • 3

2 Answers2

4

Change the registry value:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\
    RestrictAnonymous = 2

Or, if you'd rather do it via Group Policy:

Network access: Restrict anonymous access to Named Pipes and Shares = Enabled.

Also you want to make sure that

Network access: Let Everyone permissions apply to anonymous users

is set to Disabled. This corresponds to the registry entry:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\
    EveryoneIncludesAnonymous = 0
Ryan Ries
  • 55,481
  • 10
  • 142
  • 199
  • Sorry, missed adding Network access: Restrict anonymous access to Named Pipes and Shares in my list above its already enabled. (setting the registry value to 2 or 1 seems to make no difference). Per my question I've already set Network access: Let Everyone permissions apply to anonymous users to disabled. – 5y5tem5 Mar 30 '15 at 15:04
  • And you've rebooted since changing the settings? And you've confirmed that the problem actually does really still exist? (In other words, it's not a false positive?) – Ryan Ries Mar 30 '15 at 15:13
  • yes I've rebooted. Yes the "problem" does in fact exist.. I'm just not sure if it really is a problem or if its expected behavior IE should I be getting an access denied error when I attempt to connect anonymously to the IPC$ share, or should it complete and just not allow me to enumerate any local resources. If it's the latter then their report is wrong if it's the former then something is wrong with my setup... – 5y5tem5 Mar 30 '15 at 15:51
  • While my answer was for some odd reason downvoted, it reflects the guidance from the Microsoft guide on the matter. Also use the group policy settings rather than the reg keys. – Jim B Apr 08 '15 at 02:49
-1

Check the latest guidance in the SCM for your OS. According to the baseline for 2k8r2 SP2, restrict anonymous access to named pipes and share should be enabled. You should be setting this via group policy, and should probably audit your security baseline with the tool as well.

Jim B
  • 24,081
  • 4
  • 36
  • 60