我是一家公司的系统管理员,我们刚刚在内部网络上进行了渗透测试,团队发现可以使用以下命令执行查询\枚举我们的 DC(Server 2012)以获取信息:
Global.exe – shows a list of users in a DA group (such as "Domain Administrators" and "Enterprise Admins"
Getpolicy.exe – shows the password policy of the domain.
Local.exe – FAILED – shows the local administrators on any individual machine.
他们的建议是:
Enable the "Restrict Anonymous" registry key setting on all Windows domain controllers and any other sensitive NT/2000 servers or workstations.
In order to configure the "Restrict Anonymous" setting:
·Open Regedt32.exe (Start > run > type 'regedt32' and click OK)
·Locate the following key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA
·Double Click the DWORD Value Name: 'RestrictAnonymous'
·Enter the appropriate setting according to your environment.
For Windows 2003 and later, edit the network security settings in the group policy editor.
· Network Access: Do not allow anonymous enumeration of SAM accounts and shares
· Network Access: Do not allow anonymous enumeration of SAM accounts
Disable the following settings:
· Network Access: Anonymous access to Named Pipes and Shares
· Network Access: Allow anonymous SID/Name translation
但是,如果我没有记错的话,我们在当前的 Live GPO 设置中已经有了所有这些建议:
Computer configuration\Policies\Windows settings\Security Settings\Local Policies\SecurityOptions - Enabled
Network access: Restrict Anonymous access to Named Pipes and Shares
Network access: Do not allow anonymous enumeration of SAM accounts
Network access: Do not allow anonymous enumeration of SAM accounts and shares
Network access: Shares that can be accessed anonymously = nullsessionpipe - Disabled
Network access: Let Everyone permissions apply to anonymous users – Already set up on GPO
Network access: Allow anonymous SID/Name translation – Already set up on GPO
Additional mitigation we have:
Use GPO to update register with the following
HKEY\SYSTEM\CurrentControlSet\Control\Lsa:
RestrictAnonymous = 1
Restrict AnonymousSAM = 1
EveryoneIncludesAnonymous = 0
他们声称,由于我们的全局设置是正确的,而枚举\查询之一不起作用(local.exe),我们可能有一个不同的设置覆盖了这些设置,并且攻击者无法运行 Getpolicy.exe 和 Global.exe。这可能导致什么?可以在哪里找到解决方案?如果可以完全禁止/禁用 Null Session,那也是可以接受的,但是我想知道如何保留它并防止它执行上述操作。谢谢!