空連接*一直*都能夠在NT4, Windows 2000, 和 Windows XP 的機器上實現。如果對方主機的相應服務是打開著的,並且沒有關閉139或445端口,你便可以使用匿名進行連接,對方主機會對回復你說“Command completed successfully"(命令成功完成)。這些在NT4 到Win2K 到 XP 中都沒有改變。
那什麼被改變了呢?在成功建立空連接後,你能干什麼呢?在NT4和Win2k的默認情況下,你可以枚舉賬戶列表和共享文件信息。當在注冊表中設置 RestrictAnonymous=1 時,它能夠幫你防止別人枚舉你的相關信息(雖然不是完全的防止)。RestrictAnonymous=2 將會完全防止,只在Win2K中有效。
在WinXP中,注冊表中的鍵值被重新定義了:
默認時,RestrictAnonymousSam=1 。這個將防治枚舉賬戶信息。這個鍵值的定義說明是:“Do not allow anonymous enumeration of SAM accounts.”默認值是激活了這項功能(這意味著XP默認時不能通過空連接來枚舉賬戶信息)。
默認時,RestrictAnonymous=0。這個將防治枚舉SAM中的賬戶信息和共享信息。這個鍵值的定義說明是:“Do not allow anonymous enumeration of SAM accounts and shares”激活開關的鍵值應該是1。
RestrictAnonymous=2在XP上不再有效。
所以,在XP系統的默認設置情況下,你能夠匿名連接並且枚舉共享信息,但是不能枚舉賬戶信息。
總而言之,想要完全的禁止匿名用戶連接,應該關閉139和445端口(通過IPSec端口過濾或Internet防火牆),或者在網絡的協議屬性中不選擇“在Microsoft網絡中共享文件和打印”。
原文:
Null sessions can *always* be established to NT4, Windows 2000, and Windows
XP machines. If the Machine's server service is enabled, and ports 139 or
445 are available, then you can do a net use with anonymous credentials,
and the system will respond with "Command completed successfully". This
has not changed from NT4 to Win2K to XP.
What has changed, however, is what you are able to do once you establish
the null session. In NT4 and Win2K, by default, you could enumerate
information about users and shares. Setting RestrictAnonymous=1 would help
prevent against this enumaration (though not fully). RestrictAnonymous=2
(Win2K only) would fully prevent this enumeration.
On Windows XP, there are new registry keys:
RestrictAnonymousSam=1 is a default setting. This prevents detailed
enumeration of user accounts. This setting correlates with the
SecurityPolicy setting "Do not allow anonymous enumeration of SAM
accounts" with a default setting 'Enabled" (meaning the default of XP will
prohibit anonymous enumeration (R.A.SAM=1).
RestrictAnonymous=0 is a default setting. This correlates with the
SecurityPolicy Setting "Do not allow anonymous enumeration of SAM accounts
and shares". Set this policy to 'Enabled' (RA=1) to prevent anonymous
enumeration of shares.
RestrictAnonymous=2 (on XP) is no longer a valid setting.
So, by default, on an XP system, you can anonymously connect and enumerate
shares by default, but you cannot enumerate detailed user information.
To disable anonymous connections altogether, block Access to tcp139/445
(IPSec port filters or Internet Connection Firewall), or uncheck "File and
Print Sharing for Microsoft Networks" from the network interface in
question (via the propertIEs tab of the network connection).
