| I l@ve RuBoard | |
Related to NT file sharing is the NT null connection, which we felt was important enough to mention separately. A null connection consists of an anonymous connection with no password to the NT default interprocess communication share IPC$. With a null connection, attackers are able to connect to this IPC$ share and enumerate critical information about the NT systems. Hackers can gather this information either manually using NET commands or with tools such as DUMP SEC. Attackers are able to obtain a list of all users on the system, their account statuses, account policies, share information, registry settings, and other information that is useful in building attacks.
To defend against this attack, set the RestrictAnonymous registry key. This can be accomplished by following the steps below.
Launch the regedt32 Registry Editor.
Locate the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA
Create or modify the value of RestrictAnonymous. A REG_DWORD value of 1 will enable this feature.
Exit the Registry Editor and restart the computer for the change to take effect. Null connections can still be established but no information can be obtained.
| I l@ve RuBoard | |