Andrew Bartlett abartlet at samba.org
Wed Jul 30 22:28:16 GMT 2003

On Thu, 2003-07-31 at 06:01, Javid Abdul-AJAVID1 wrote:
> Thanks a bunch for your email response, really appreciate it.
> I think scanner scans for all vulnerabilities including the one that am intrested in "NULL SESSION".
> Does samba 3.0 restricts null sessions 

As I already said *twice*.  Samba 3.0 allows you to restrict null
sessions using the 'restrict anonymous' parameter.

> What are the implications of using restrict anonymous = true ( my server is not a DC, its member server in AD domain, which provides nfs shares to win2k clients.

In Samba 2.2 - weird stuff.  It's not a useful parameter.  In Samba 3.0,
it has been changed to have the same meaning as microsoft has documented
for their 'restrictanonymous' registry key.

The implications are as described in my earlier e-mail, and in microsoft
documentation on this point.

> Regards
> -----Original Message-----
> From: Andrew Bartlett [mailto:abartlet at samba.org] 
> Sent: Tuesday, July 29, 2003 5:09 PM
> To: Javid Abdul-AJAVID1
> Cc: 'Andrew Bartlett'; Multiple recipients of list SAMBA-TECHNICAL
> Subject: RE: nt-netbios-nullsession
> On Wed, 2003-07-30 at 00:32, Javid Abdul-AJAVID1 wrote:
> > Is there any way , any parameter (2.2.8a) I can use to block null 
> > username ( anonymous ) passwords to remedy the ISS scans.
> Not that I know of - you could start playing real silly buggers with the IPC$ share name, (set guest ok = no on that share) but there is nothing intentional.
> Samba 3.0 adds the ability to easily restrict such access, as detailed in Samba 2.2.  
> If your security policy is based on 'what the scanner told me' then it's a pretty sad 'security' policy...  (If the box is not a DC, it has not got that much information to give away, even if it wanted to)
> Why not add a hosts deny for the host scanning you? ;-)
> Andrew Bartlett
Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20030730/6928caa6/attachment.bin

More information about the samba-technical mailing list