Javid Abdul-AJAVID1 abduljavid at motorola.com
Tue Jul 29 14:32:27 GMT 2003

Is there any way , any parameter (2.2.8a) I can use to block null username ( anonymous ) passwords to remedy the ISS scans.


-----Original Message-----
From: Andrew Bartlett [mailto:abartlet at samba.org] 
Sent: Monday, July 28, 2003 6:42 PM
To: Javid Abdul-AJAVID1
Cc: Multiple recipients of list SAMBA-TECHNICAL
Subject: Re: nt-netbios-nullsession

On Tue, 2003-07-29 at 06:29, Javid Abdul-AJAVID1 wrote:
> Sorry to bother technical group, but I have been looking for this for 
> long.
> Any body knows the vulnerability for "nt-netbios-nullsession". Samba 
> runs in domain mode/heterogenous enviroment here. Ver 2.2.8a on 
> solaris ( in windows domain )
> Security is major concern in our corp here.
> Is there fix out ther for null sessions.

Null sessions are only an issue in that they allow information leakage. 
You can find out user-names that are valid on the system.  In most organisations, this is available anyway, so you don't actually gain much
- but that doesn't stop those with the power to impose such directives....

> Will this escape the ISS (security scans ) for 
> "nt-netbios-nullsession" restrict anonymous = yes.

Only in Samba 3.0 - and it causes samba to be unable to perform a number of roles on the network - in particular, you cannot be a DC, or particpate in browsing.  In Samba 3.0 that option is an integer 'restrict anonymous = 2' does not permit the null user to connect to IPC$

Andrew Bartlett

Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net

More information about the samba-technical mailing list