Security Watch

Lock Down Remote Registry Access

Block anonymous users from accessing confidential information.

When hardening Windows 2000 Server and Windows NT 4.0, I hope you've been able to restrict remote anonymous access to the Registry (see Microsoft Knowledge Base article 153183), along with anonymous exposure of account names, shares and other information (KB 143474).

By doing so, you ensure that only authorized individuals can connect remotely to the Registry and get that sensitive information. Both processes require Registry configuration (detailed in the KB articles), and both may be impossible if legacy applications are using anonymous access. In order to continue to use those legacy applications and still block some forms of anonymous access, there are workarounds. For example, you can add the name of the service to the NT Registry value AllowedPaths at HKEY_LOCAL_MACHINE\SYSTEM\ CurrentControlSet\Control\SecurePipeServers\winreg\ or by adding the required pipe and share names to the Win2K Registry values NullSessionShares and NullSessionPipes at HKEY_LOCAL_MACHINE\SYSTEM\Services\LanmanServer\ Parameters\.

Alternatively, to help legacy applications, it's possible to configure the RestrictNullSessAccess value at HKEY_LOCAL_MACHINE\SYSTEM\Services\ LanmanServer\Parameters\.

It's critical to note that this value, if set to 0, overrides anonymous restrictions set elsewhere.

Since you may have Windows computers on which this setting has been configured, I'm asking you to take a look. Check the Registry in NT 3.51, NT 4.0 and Win2K computers. Pay special attention to those Win2K computers that may be been upgraded from earlier versions of NT. Look for the RestrictNullSessions value in the Registry. If the value doesn't exist or is set to 1 -- the default -- you're OK.

If the value is 0, it may be possible to anonymously access that machine's Registry. To fix the problem, set the value to 1 and, if applications require anonymous access, configure that access using appropriate Registry keys as detailed in the articles above. You can read more about this problem in the KB 830070.

About the Author

Roberta Bragg, MCSE: Security, CISSP, Security+, and Microsoft MVP is a Redmond contributing editor and the owner of Have Computer Will Travel Inc., an independent firm specializing in information security and operating systems. She's series editor for Osborne/McGraw-Hill's Hardening series, books that instruct you on how to secure your networks before you are hacked, and author of the first book in the series, Hardening Windows Systems.

Featured

  • Microsoft Adds 6 More Months to Expiring Certification Programs

    Microsoft has announced an extension to the end date of three certification programs slated for retirement.

  • Microsoft's Surface Pro X: It's Like the Surface RT, But Better

    There's a lot about the Surface Pro X that's reminiscent of the ill-fated Surface RT. But despite the similarities, this might just be one of the rare cases where the sequel is better than the original.

  • Q&A: The Challenges of Securing All Those Newly Remote Workers

    Security expert Dale Meredith identifies cybersecurity challenges, best practices and major concerns resulting from all the employees forced into home offices by COVID-19.

  • Astronaut Survival Training: A Crash Course in Sea Survival

    Lots of things can go wrong during a commercial spaceflight -- especially once your capsule leaves space. An unplanned ocean landing is just one of those worst-case scenarios.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.