Written by Rafael Silva

Hardening SMB on Domain Controllers, Step 3: Disabling SMB Null sessions

Hardening SMB on Domain Controllers, Step 3: Disabling SMB Null sessions

https://ift.tt/3ktXaUo

Server Message Block

Server Message Block (SMB) is a critical component for any Microsoft-oriented networking environment. That’s why hardening SMB is one of the critical steps in securing Active Directory Domain Controllers.

In the first part of this series, I’ve shown you how to report on incoming SMB connections on your Active Directory Domain Controllers. Now, let’s put the data to work. Let’s disable SMB null sessions.

The trouble with SMB null sessions

Active Directory is a technology that offers authentication, authorization and auditing. Access is granted (authorized) after authentication. But what if you can get access to certain resources without authenticating?

That is exactly what a null session can achieve. When an SMB session is set up anonymously, or with a guest account, this is commonly referred to as an SMB null session. Connecting without credentials eats away at everything Active Directory stands for… yet, many pentests will point out clearly that this is what Domain Controllers allow with default Operating System settings.

There’s debate whether null sessions are actually still around with default settings, but for argument’s sake, let’s disable them.

Getting rid of SMB null sessions

When we disable SMB null sessions, we might break the functionality other solutions offer to our infrastructure. This is undesirable. Therefore, we report on SMBv1, SMBv2 and SMB null sessions, before we disable any of them.

Disabling SMB null sessions

For Domain Controllers running Windows Server 2016, run the following three lines in an elevated Windows PowerShell session to disable SMB null sessions:

New-ItemProperty -Path "HKLM:SystemCurrentControlSetControlLsa" -Name RestrictAnonymous -Value 1 -PropertyType DWORD -Force

New-ItemProperty -Path "HKLM:SystemCurrentControlSetControlLsa" -Name RestrictAnonymousSAM -Value 1 -PropertyType DWORD -Force

New-ItemProperty -Path "HKLM:SystemCurrentControlSetControlLsa" -Name EveryoneIncludesAnonymous -Value 0 -PropertyType DWORD -Force

Concluding

Disabling SMB null sessions on Active Directory Domain Controllers improves the security posture of your Microsoft-oriented networking environment.

The post Hardening SMB on Domain Controllers, Step 3: Disabling SMB Null sessions appeared first on The DirTeam.com / ActiveDir.org Weblogs.

windows,microsoft

via The DirTeam.com / ActiveDir.org Weblogs https://dirteam.com

September 22, 2021 at 11:38AM
Sander Berkouwer