Manage Learn to apply best practices and optimize your operations.

How to prevent null session attacks

In the conclusion of his two-part series, site expert Kevin Beaver offers several solutions for preventing null session attacks on Windows NT and 2000 systems.

In part one of this two-part series, Windows Security Threats site expert Kevin Beaver explained where and why...

null session vulnerabilities continue to run rampant. Part two below will discuss how you can prevent null session attacks.

In my first article, I described how a null session vulnerability attack occurs and who is most vulnerable. Now the question is, how can you protect your systems?

There is a solution
One quick fix is to upgrade your desktops to Windows XP and your servers to Windows Server 2003. This is not completely foolproof because these systems can have their security policies or registry settings misconfigured to permit this exploit.

For Windows NT 4.0 systems running Service Pack 3 and higher, you can create the \\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\RestrictAnonymous key in the registry and set it to a value of 1. This will prevent certain anonymous connections, but not all of them. The only true fix for the null session vulnerability on Windows NT is a good intrusion prevention system (IPS) -- or better yet upgrade to Windows XP or Server 2003.

For Windows 2000 systems, you can use RestrictAnonymous=2 in the registry or set the "Additional restrictions for anonymous connections" in the Windows security policy to "No access without explicit anonymous permissions."

Your best option is to simply block SMB communications by limiting traffic on TCP ports 139 and 445 (excluding NT which doesn't use 445) to trusted networks. I know it seems painfully obvious, but people still have unprotected Windows systems out there for the taking. A basic firewall and host-based IPS can do wonders for this.

Do it yourself
I encourage you to check this out yourself on your own Windows systems -- especially the critical systems such as servers and administrator stations. By creating null session connections and using the tools listed above and even one of my favorite tools -- SuperScan by Foundstone -- you can test for this serious vulnerability and fix it before the bad guys point it out for you.

Luckily, Microsoft is heading down the right path by changing default Windows security settings to help prevent the null session vulnerability from being exploited. But you'd still need to periodically test your systems, even if they've been hardened, to make sure they can't be exploited. You never know when the bad guys wilkl pull out their old tricks to try and take your network down.

Click to return to part one.

About the author
Kevin Beaver is founder and principal consultant of Atlanta-based Principle Logic LLC, as well as a resident expert on He specializes in information security assessments and incident response and is the author of the new book "Hacking for dummies" by John Wiley and Sons. Kevin can be reached at [email protected] or ask him a question on Windows security threats today.

For More Information

Get Five steps to controlling network access

Learn eight ways to protect Windows from perimeter threats.

Ask expert Kevin Beaver your Windows security threats questions.

Dig Deeper on Windows Server storage management