Over the last couple of months we have been seen a sharp increase in the number of scans for Windows 9x, NT, 2000, and XP machines that are sharing folders on the network. There are a variety of worms and hacker tools available, including the Fluxay worm, which will scan large sections of the Internet for Windows machines, and then attempt to break into or infect those machines via the Windows Networking protocols. Often, we find that there is no password on the file share or the accounts allowed access, giving the world access to the machine. In other cases we find that while there is a password set, it is easily guessable, leaving the machine vulnerable to "dictionary" attacks, where the attacking machine will quickly attempt to authenticate to the target machine using a large file of words in a variety of languages and commonly used passwords (like "drowssap" or "letmein"). This is made worse by the fact that the default configurations of Windows allows users to connect to the machine over the network and enumerate a list of user accounts and shared resources through a "null-session" where no authentication or identification is required. Hackers can then exploit this configuration to try to authenticate to the system via a dictionary attack.

If you run a Windows machine and do not need to share files or printers from your machine to other machines on the network, we recommend that you completely disable file and printer sharing on your machine. Doing so will not prevent you from being able to access files on other machines or print to printers on other machines, only from sharing files or printers from your machine to the world. If you must share files or printers from your machine, it is still possible to tighten up the amount of information available to null-sessions, which we have explained below. Also, know that restricting null-session access or even disabling file and printer sharing are not a substitute for using strong passwords on all user accounts. You need to do that as well.

WARNING!!! All of the procedures described on this page could potentially cause undesirable results in your environment. They should be tested before applying them to critical or production machines. Further, you should consult your systems administrator or technical support staff if you are unsure of the consequences.

Disabling file and Printer Sharing on Windows 9x, ME, 2000, and XP

Versions of Windows, other than Windows NT 4.0, have a built in mechanism for disabling file sharing

Windows 2000/XP

Please note that these screen shots have been taken from a Windows 2000 Professional machine, but the information should be roughly the same for Windows XP.

  1. First, right click on "My Network Places" and select "Properties".
    My Network Places/Properties
    "My Network Places/Properties"
  2. Next, find your Network Card (probably labeled "Local Area Connection" or the name of the type of Ethernet adapter you have installed), right click on it, and select "Properties".
    Local Area Connection/Properties
    "Local Area Connection/Properties"
  3. Uncheck "File and Printer Sharing for Microsoft Networks".
    File and Printer Sharing for Microsoft Networks
    "File and Printer Sharing for Microsoft Networks"
  4. Repeat this step for each network adapter you have installed.
Windows 9x/Me

These screen shots have been taken from a Windows 98SE machine, but the same information maybe applicable to Windows 95, 98, and Me. Thanks to Adam Light for providing the screen shots and helpful feedback.

  1. First, right click on "Network Neighborhood" and select "Properties".
    Network Neighborhood/Properties
    "Network Neighborhood/Properties"
  2. Next, click the button marked "File and Print Sharing . . ."
    File and Print Sharing
    "File and Print Sharing"
  3. Uncheck both boxes on the "File and Print Sharing" dialog box.
    Uncheck Boxes
    "Uncheck Boxes"

Restricting Null-Session Access on Windows NT 4.0, 2000, and XP

Servers which need to provide file or printer sharing to other machines on the network must use strong passwords on the accounts used to access these resources. Furthermore, it is recommended that some settings be tightened to prevent remote users from being able to obtain a list of the users on the system. An excellent discussion of this issue can be found in the article RestrictAnonymous: Enumeration and the Null User on the SecurityFocus web site. Also, this particular issue is discussed, along with other critical security settings for Windows machines, in the SANS "Step-by-Step" security guides hosted on this site.

Under Windows NT 4.0 and 2000 you can disable the most aggregious security holes in null-session access by adding the following key to the registry:

Windows 2000 allows additional values to be set which further restrict null-session access. However, setting these values will break connectivity with Windows 9x and NT 4.0 machines! If you choose to further restrict anonymous access on your Windows 2000 machine, you can edit the above registry key through the "Local Security Policy" under the "Security" settings section by setting the "Additional Restrictions for Anonymous Connections" to "No Access Without Explicit Permissions"

Windows XP also supports these settings, but they are now displayed in the "Security Policy" GUI as "Network access: Do not allow anonymous enumeration of SAM accounts" and "Network access: Do not allow anonymous enumeration of SAM accounts and shares". Set both of these to "enable".

Back to top