Jaa


Network security: Allow LocalSystem NULL session fallback

Updated: November 15, 2012

Applies To: Windows 7, Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Vista, Windows XP

This security policy reference topic for the IT professional describes the best practices, location, values, and security considerations for this policy setting.

Reference

This policy affects session security during the authentication process between computers running Windows Server 2008 R2 and Windows 7 and those computers running earlier versions of the Windows operating system. For computers running Windows Server 2008 R2 and Windows 7, services running as Local System require a service principal name (SPN) to generate the session key. However, if Network security: Allow Local System to use computer identity for NTLM is set to disabled, services running as Local System will fall back to using NULL session authentication when they transmit data to servers running versions of Windows earlier than Windows Vista or Windows Server 2008. NULL session does not establish a unique session key for each authentication; and thus, it cannot provide integrity or confidentiality protection. The setting Network security: Allow LocalSystem NULL session fallback determines whether services that request the use of session security are allowed to perform signature or encryption functions with a well-known key for application compatibility.

Possible values

  • Enabled

    When a service running as Local System connects with a NULL session, a system-generated session key is created, which provides no protection but allows applications to sign and encrypt data without errors. This increases application compatibility, but it degrades the level of security.

  • Disabled

    When a service running as Local System connects with a NULL session, session security will be unavailable. Calls seeking encryption or signing will fail. This setting is more secure, but at the risk of degrading application incompatibility. Calls that are using the computer identity instead of a NULL session will still have full use of session security.

  • Not defined. When this policy is not defined, the default takes effect. This is Enabled for versions of the Windows operating system earlier than Windows Server 2008 R2 and Windows 7, and it is Disabled otherwise.

Best practices

When services connect with the computer identity, signing and encryption are supported to provide data protection. When services connect with a NULL session, this level of data protection is not provided. However, you will need to evaluate your environment to determine the Windows operating system versions that you support. If this policy is enabled, some services may not be able to authenticate.

This policy applies to Windows Server 2008 and Windows Vista (SP1 and later). When your environment no longer requires support for Windows NT 4, this policy should be disabled. By default, it is disabled in Windows 7 and Windows Server 2008 R2.

Location

GPO_name**\Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options**

Default values

Server type or Group Policy Object (GPO) Default value

Default domain policy

Not defined

Default domain controller policy

Not defined

Stand-alone server default settings

Not defined

Domain controller effective default settings

Not applicable

Member server effective default settings

Not applicable

Effective GPO default settings on client computers

Not applicable

Operating system version differences

This policy was introduced in Windows Server 2008 R2 and Windows 7, and it can be applied to all computers running at least Windows Server 2008 with SP1 and Windows Vista with SP1.

Security considerations

This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.

Vulnerability

If this setting is Enabled, when a service connects with a NULL session, a system-generated session key is created, which provides no protection but allows applications to sign and encrypt data without errors. Data that is intended to be protected might be exposed.

Countermeasure

You can configure the computer to use the computer identity for Local System with the policy Network security: Allow Local System to use computer identity for NTLM. If that is not possible, this policy can be used to prevent data from being exposed in transit if it was protected with a well-known key. To configure this policy, see Possible values for these options.

Potential impact

If you enable this policy, services that use NULL session with Local System could fail to authenticate because they will be prohibited from using signing and encryption.