Hardening SMB on Domain Controllers, Step 3: Disabling SMB Null sessions

Reading Time: 2 minutes

Server Message Block

Server Message Block (SMB) is a critical component for any Microsoft-oriented networking environment. That’s why hardening SMB is one of the critical steps in securing Active Directory Domain Controllers.

In the first part of this series, I’ve shown you how to report on incoming SMB connections on your Active Directory Domain Controllers. Now, let’s put the data to work. Let’s disable SMB null sessions.

 

The trouble with SMB null sessions

Active Directory is a technology that offers authentication, authorization and auditing. Access is granted (authorized) after authentication. But what if you can get access to certain resources without authenticating?

That is exactly what a null session can achieve. When an SMB session is set up anonymously, or with a guest account, this is commonly referred to as an SMB null session. Connecting without credentials eats away at everything Active Directory stands for… yet, many pentests will point out clearly that this is what Domain Controllers allow with default Operating System settings.

There’s debate whether null sessions are actually still around with default settings, but for argument’s sake, let’s disable them.

 

Getting rid of SMB null sessions

When we disable SMB null sessions, we might break the functionality other solutions offer to our infrastructure. This is undesirable. Therefore, we report on SMBv1, SMBv2 and SMB null sessions, before we disable any of them.

Disabling SMB null sessions

For Domain Controllers running Windows Server 2016, run the following three lines in an elevated Windows PowerShell session to disable SMB null sessions:

New-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Lsa" -Name RestrictAnonymous -Value 1 -PropertyType DWORD -Force

New-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Lsa" -Name RestrictAnonymousSAM -Value 1 -PropertyType DWORD -Force

New-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Lsa" -Name EveryoneIncludesAnonymous -Value 0 -PropertyType DWORD -Force

 

Concluding

Disabling SMB null sessions on Active Directory Domain Controllers improves the security posture of your Microsoft-oriented networking environment.

2 Responses to Hardening SMB on Domain Controllers, Step 3: Disabling SMB Null sessions

  1.  

    Hi Sander,

    My boss would like to know if there are any ramifications with disabling null sessions in our Active Directory environment on domain controllers. Are there any downsides to disabling null sessions?

    Thank you,

    John

leave your comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.