Albert Ros

Null Sessions: QIDs 70003 vs 90044

Discussion created by Albert Ros on Oct 18, 2018

Hi all,

 

Qualys flags a lot of my assets with the QID 90044 (Allowed Null Session) and only a few of them with the QID 70003 (Null Session/Password NetBIOS Access).

 

QID 90044 checks if the registry key HKLM\SYSTEM\CurrentControlSet\Control\LSA RestrictAnonymous = 0 while QID 70003 seems to check it actively as is a "Remote Discovery" control.

 

After some tests, I can state that I could connect with Null Sessions to the assets with QID 70003  while it was not possible to establish a Null Session.

 

What are your experience regarding these QIDs? Should Qualys update the checks for QID 90044 to take into account more configuration parameters? As is stated in QID70003 information, all these parameters are important.

 

 

I created this relationship between GPOs and registry keys:

 

  • Network access: Do not allow anonymous enumeration of SAM accounts HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\RestrictAnonymousSAM 
  • Network access: Do not allow anonymous enumeration of SAM accounts and shares HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\RestrictAnonymous
  • Network access: Let Everyone permissions apply to anonymous users HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\everyoneincludesanonymous
  • Network access: Shares that can be accessed anonymously HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\NullSessionShares
  • Network access: Named Pipes that can be accessed anonymously HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\NullSessionPipes
  • Network access: Restrict anonymous access to Named Pipes and Shares HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\RestrictNullSessAccess

 

Another option is to avoid results about QID 90044 as it seems in servers > Windows 2003 don't imply any real risk. What are your thoughts/experience?

 

Regards,

Albert

Outcomes