Null Session Vulnerability

5/10/2007

When a program or service is started by using the System user account, the service logs on with null credentials. This can be a potential security risk, because it allows for an unauthenticated log on to the system. A hacker or worm can exploit this vulnerability and potentially access sensitive data on the system.

The simplest way to reduce null session vulnerability is to disable NetBios and verify that ports 139 and 445 are closed.

However, if your run-time image requires NetBIOS, you can control null session access by editing the following registry key to restrict anonymous access to sensitive data:

Key Name: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA

Value Name: RestrictAnonymous

Type: DWORD

Value: 0

The default value of this key is 0. Changing this value to 1 blocks enumeration of SAM and user accounts, and prohibits a null session from seeing user accounts and admin shares. A value of 2 disables null session access without explicit permissions. Changing this value to 2 may conflict with some applications that rely on null sessions.

After you change the registry data, reboot your run-time images and test your applications to verify that they work with restricted null session access.

See Also

Other Resources

Best Practices for Security
Network Security Considerations
Local Security Considerations