Anonymous User Connections

by Wayne Maples [Published on 20 April 2004 / Last Updated on 20 April 2004]

Red Button access hack uses Anonymous User Connections , also called Null User Connection, to discover which account is the NT administrative account and what are the network shares. Disable by preventing anonymous connections to domains. This is block a significant informational exposure. Caution: this can have severe consequences on sql server access and creating/maintaining domain trusts. Registry hack:

Hive: HKEY_LOCAL_MACHINE
Key: SYSTEM\CurrentControlSet\Control\Lsa
Name: RestrictAnonymous
Type: REG_DWORD
Value: 1

To see the level of informational exposure NT has as default, download winfo and run it against your PDC. Also check my page on Penetration Testing, Hacking and Intrusion Detection.

Related:
Q143474 - Restricting Information Available to Anonymous Logon Users
Q184018 - NDS for NT does not support restrict anonymous connections
Q168464 - Directory Replication Fails with Event ID 3216

Featured Links