4.7.15. NULL sessions restrictions of server and workstation RPC
operations
For some of the lanmanserver and lanmanworkstation RPC services operations
(srvsvc and wkssvc named pipes),
restrictions are hardcoded and documented in MSDN, under the Security requirements
section. Sometimes, depending on the requested information level, it is
necessary (or not) to be a member of the Administrators or Account Operators
local group.
The following
srvsvc operations can be used anonymously:
- NetrShareEnum (levels 1 and 2 only)
- NetrServerTransportEnum
In addition, on Windows 2000 workstation and member servers, the following
srvsvc operations can be used anonymously if
RestrictAnonymous is set to 0:
- NetrServerGetInfo (levels 100 and 101 only)
The following
wkssvc operations can be used anonymously:
- NetrWkstaGetInfo (level 100 only)
- NetrWkstaTransportEnum
It is possible to modify the security requirements for some of
the srvsvc operations, modifying some of the security
descriptors found under the DefaultSecurity registry key,
under the lanmanserver registry key.
On a default Windows 2000 system, the following registry values are available:
- SrvsvcConfigInfo
- SrvsvcFile
- SrvsvcServerDiskEnum
- SrvsvcSessionInfo
- SrvsvcShareAdminConnect
- SrvsvcShareAdminInfo
- SrvsvcShareConnect
- SrvsvcShareFileInfo
- SrvsvcSharePrintInfo
- SrvsvcStatisticsInfo
On Windows XP and Windows Server 2003, additional security descriptors exist:
- SrvsvcConnection
- SrvsvcTransportEnum
The Tweak UI tool (part of Microsoft PowerToys for Windows XP) has an Access
Control feature that allows the configuration of these security descriptors
for Windows XP and Windows Server 2003:
- Manage file and printer sharing (SrvsvcConfigInfo)
- Manage file/print server connections (SrvsvcConnection)
- Manage file server open files (SrvsvcFile)
- Enumerate file servers disks (SrvsvcServerDiskEnum)
- Manage file/print server sessions (SrvsvcSessionInfo)
- Connect to administrative shares (SrvsvcShareAdminConnect)
- Manage administrative shares (SrvsvcShareAdminInfo)
- Connect to file and printer shares (SrvsvcShareConnect)
- Manage file shares (SrvsvcShareFileInfo)
- Manage printer shares (SrvsvcSharePrintInfo)
- Read file/print server statistics (SrvsvcStatisticsInfo)
- Enumerate server transport protocols (SrvsvcTransportEnum)
Using Tweak UI, it is possible to harden Windows XP and Windows Server 2003
against NULL sessions to the srvsvc interface, removing ACE
that contain ANONYMOUS LOGON.
The security descriptors are only read when the lanmanserver service starts.
Thus, any modification requires a restart of the service.