Security hole?

[Andrew Tridgell]

>     I've heard recently that NT had a weakness because it accepted
> the so called 'null sessions', so that one machine could administer
> another NT remotely, without providing a username and password. I
> found a small program on Internet, named QTIP, that can query any NT
> machine and get many useful information from it, such as a list of
> users, list of shares, information about a user (for instance, user
> cannot change password). I've tested this program against one NT4
> server under my administration, accross the Internet, and it worked!
> The bad part is that it worked against SAMBA NTDOM too!

null sessions are needed to allow for browse list propogation. Without
them two hosts can't synchronise their browse lists. (how would you
enter a password while synchronizing browse lists?)

You are right that null sessions can also be used to obtain
information. You can obtain a shares list and the name of the
workgroup etc. I never considered this to be a security hole.

What you should be doing is using the "hosts allow" and "hosts deny"
options to restrict access to your server to hosts that you want to be
able to get in. Hosts not listed won't be able to synch browse lists,
so you would normally set the list to include your organisations local
subnets and loopback.

>     Am I mistaked? Does this really constitute a security hole that
> samba is vulenrable? I've heard also that NT4 with SP3 can, if the
> administrator knows, be setup on the registry to not accept 'null
> sessions'. Wouldn't it be interesting to samba do the same?

hmmm, if you set this option in NT then how does browse list
propogation work? There is no way you could do inter-subnet browsing
without null sessions.

Cheers, Andrew