Share via

FYI - Changes to null session pipes post 2k3 SP1

  • Article

Pre Win2k3 SP1 we actually had a hardcoded list of null session pipes + the registry key to come up with the complete list of allowed NULL session pipes.

PRE SP1 hard coded list:
===========
L"netlogon",
L"lsarpc",
L"samr",
L"browser",
L"srvsvc",
L"wkssvc",

POST SP1
==========
None
 

Net result?

If you messed with HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters
NullSessionPipes value ( removed things like .. lsarpc, netlogon etc.. ) You will fail NULL session authentications where you used to succeed, even with nothing defined in the registry.

CHANGES:
=========
We remove items like trkwks, trksvr, epmapper, and locator.
We add browser
We then write the value: AdjustedNullSessionPipes == 1 under
CurrentControlSet\Services\lanmanserver\parameters
We remove the hardcoded list seen above

What does it effect?

Scenario:
DFS server goes to access a DC to get site info - it calls DsAddressToSiteNames() (
connect to netlogon ) to determine site info.

DFS Service runs as Local System
If the Kerberos authentication fails for some reason and we fall back to NTLM and it will authenticate as NULL

This call then fails since the DC will not authenticate the null connection to the
named pipe \pipe\netlgon.

Net Trace shows:
==================

DFS Server sends authn data:
SMB Command: Session Setup AndX (0x73)
Security Blob:
Domain name: NULL
User name: NULL
Host name: NNSFLS001

DC responds:
SMB Command: Session Setup AndX (0x73)
NT Status: STATUS_SUCCESS (0x00000000)

DFS Server tries to access \pipe\netlogon
SMB NT Create AndX Request, Path: \NETLOGON

DC Responds:
SMB Command: NT Create AndX (0xa2)
NT Status: STATUS_ACCESS_DENIED (0xc0000022)

Comments

  • Anonymous
    May 16, 2006
    Great post Steve, I hadn't a clue about that change.

      joe

  • Anonymous
    May 16, 2006
    PingBack from http://blog.joeware.net/2006/05/16/372/

  • Anonymous
    May 19, 2006
    thx Joe!

  • Anonymous
    October 25, 2006
    The comment has been removed

  • Anonymous
    December 13, 2006
    the default is supposed to be set at none so why would anyone want someone anonymously accessing their network anyhow?

  • Anonymous
    December 20, 2006
    To answer your question -see the notes in http://support.microsoft.com/kb/q289655/

  • Anonymous
    July 22, 2008
    Can you use wildcards in specifying NULL pipes?  The reason is that I have an application that creates dynamic WMI pipes and I have a security requirement to restrict anonymous named pipes so it must be defined in the local security policy.  Thanks in advance for any feedback.

  • Anonymous
    January 30, 2011
    please provide me the registry key to set the following Network access: Named Pipes that can be accessed : anonymously:none