1

I am a sysadmin for a company, and we just had a Penetration Test done on our internal network, the team discovered that it is possible to perform query\enumerate our DC (Server 2012) for information with the following commands:

Global.exe – shows a list of users in a DA group (such as "Domain Administrators" and "Enterprise Admins"
Getpolicy.exe – shows the password policy of the domain.
Local.exe – FAILED – shows the local administrators on any individual machine.

Their recommendations are:

Enable the "Restrict Anonymous" registry key setting on all Windows domain controllers and any other sensitive NT/2000 servers or workstations.
In order to configure the "Restrict Anonymous" setting:
·Open Regedt32.exe (Start > run > type 'regedt32' and click OK)
·Locate the following key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA
·Double Click the DWORD Value Name: 'RestrictAnonymous'
·Enter the appropriate setting according to your environment.
For Windows 2003 and later, edit the network security settings in the group policy editor.
· Network Access: Do not allow anonymous enumeration of SAM accounts and shares
· Network Access: Do not allow anonymous enumeration of SAM accounts
Disable the following settings:
· Network Access: Anonymous access to Named Pipes and Shares
· Network Access: Allow anonymous SID/Name translation

However, if I'm not mistaken, we already have all of these recommendations in out current Live GPO Setup:

Computer configuration\Policies\Windows settings\Security Settings\Local Policies\SecurityOptions - Enabled
Network access: Restrict Anonymous access to Named Pipes and Shares
Network access: Do not allow anonymous enumeration of SAM accounts
Network access: Do not allow anonymous enumeration of SAM accounts and shares
Network access: Shares that can be accessed anonymously = nullsessionpipe - Disabled
Network access: Let Everyone permissions apply to anonymous users – Already set up on GPO
Network access: Allow anonymous SID/Name translation – Already set up on GPO
Additional mitigation we have:
Use GPO to update register with the following
HKEY\SYSTEM\CurrentControlSet\Control\Lsa:
RestrictAnonymous = 1
Restrict AnonymousSAM = 1
EveryoneIncludesAnonymous = 0

What they claim is, that since our global settings are correct, and one of the enumerations\queries don't work (local.exe) we might have a different settings that is overriding these, and unables attacker to run Getpolicy.exe and Global.exe. What could possibly cause this? Where can look to in order to solve this? If its possible to simply disallow/disable Null Session completely that is also acceptable, however i would like to know how to keep it and prevent it from doing the above. Thank you!

Giladiald
  • 121
  • 1
  • 1
  • 4
  • I've read this a couple of times, and I'm still not clear on exactly what the DC is doing right now that you want to make it stop doing. – Ryan Ries Apr 24 '16 at 13:36
  • it is possible to connect to the DC in the following manner net use \\DC\IPC$ :/u"" "" and establish a connection with a null session - after that, it is possible to query the DC for information such as the domain password policy (getpolicy.exe) and the names of the domain/enterprise admins (global.exe). – Giladiald Apr 24 '16 at 13:45
  • https://technet.microsoft.com/en-us/library/jj852278(v=ws.10).aspx might help. But you can also break your DC. A DC is supposed to allow anonymous access to `Netlogon, samr,` and `lsarpc`. – Ryan Ries Apr 24 '16 at 13:55

0 Answers0