我刚刚在实验室环境中设置了一个全新的独立 Windows 2019 Server (Core)(即用于我自己的学习)。部分原因是我有兴趣从安全角度研究空会话配置。
ANONYMOUS LOGON在此过程中,我创建了一个共享,并希望从空会话中对其进行写入访问。但是,即使授予了对共享和共享目录 ACL 的完全访问权限,我也只能对该共享进行读取访问。
我注意到,当将EveryoneIncludesAnonymous注册表设置为时1,我确实获得了写访问权限,但是我不明白为什么需要这样做,因为我已经明确授予了ANONYMOUS LOGON完全访问权限。
是否有一些我遗漏的附加检查?如能帮助我理解这一点,我将不胜感激。
请参阅下面的命令输出来查看我的配置:
PS C:\Users\Administrator> Get-SmbShare -Name test1
Name ScopeName Path Description
---- --------- ---- -----------
test1 * C:\inetpub\wwwroot\test1 anon share in iis root for testing
PS C:\Users\Administrator> Get-SmbShareAccess -Name test1
Name ScopeName AccountName AccessControlType AccessRight
---- --------- ----------- ----------------- -----------
test1 * NT AUTHORITY\ANONYMOUS LOGON Allow Full
test1 * Everyone Allow Full
PS C:\Users\Administrator> Get-Acl C:\inetpub\wwwroot\test1\ | Format-List -Property Owner,AccessToString
Owner : NT AUTHORITY\ANONYMOUS LOGON
AccessToString : NT AUTHORITY\ANONYMOUS LOGON Allow FullControl
BUILTIN\IIS_IUSRS Allow ReadAndExecute, Synchronize
BUILTIN\IIS_IUSRS Allow -1610612736
NT SERVICE\TrustedInstaller Allow FullControl
NT SERVICE\TrustedInstaller Allow 268435456
NT AUTHORITY\SYSTEM Allow FullControl
NT AUTHORITY\SYSTEM Allow 268435456
BUILTIN\Administrators Allow FullControl
BUILTIN\Administrators Allow 268435456
BUILTIN\Users Allow ReadAndExecute, Synchronize
BUILTIN\Users Allow -1610612736
NT AUTHORITY\ANONYMOUS LOGON Allow FullControl
CREATOR OWNER Allow 268435456
PS C:\Users\Administrator> reg query HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa /v everyoneincludesanonymous
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
everyoneincludesanonymous REG_DWORD 0x0
然后尝试将文件复制到共享失败:
$ smbclient -U '%' '\\192.168.56.20\test1'
Try "help" to get a list of possible commands.
smb: \> dir
. D 0 Fri Feb 28 08:21:29 2020
.. D 0 Fri Feb 28 08:21:29 2020
somefile.txt A 22 Fri Feb 28 08:21:09 2020
8247551 blocks of size 4096. 6341661 blocks available
smb: \> put test
NT_STATUS_ACCESS_DENIED opening remote file \test
设置为后,EveryoneIncludeAnonymous它就0x1可以正常工作了。对我来说,这表明执行了一些额外的检查LanManServer,但我不知道在哪里。
$ smbclient -U '%' '\\192.168.56.20\test1'
Try "help" to get a list of possible commands.
smb: \> put test
putting file test as \test (0.3 kb/s) (average 0.3 kb/s)
编辑(使用注册表值更新)
C:\Windows\system32>reg query hklm\system\currentcontrolset\control\lsa\
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
auditbasedirectories REG_DWORD 0x0
auditbaseobjects REG_DWORD 0x0
Bounds REG_BINARY 0030000000200000
crashonauditfail REG_DWORD 0x0
fullprivilegeauditing REG_BINARY 00
LimitBlankPasswordUse REG_DWORD 0x1
NoLmHash REG_DWORD 0x1
Security Packages REG_MULTI_SZ ""
Notification Packages REG_MULTI_SZ scecli
Authentication Packages REG_MULTI_SZ msv1_0
SecureBoot REG_DWORD 0x1
LsaPid REG_DWORD 0x260
LsaCfgFlagsDefault REG_DWORD 0x0
ProductType REG_DWORD 0x7
disabledomaincreds REG_DWORD 0x0
everyoneincludesanonymous REG_DWORD 0x1
forceguest REG_DWORD 0x0
restrictanonymous REG_DWORD 0x0
restrictanonymoussam REG_DWORD 0x1
C:\Windows\system32>reg query hklm\system\currentcontrolset\services\lanmanserver\parameters
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\lanmanserver\parameters
EnableAuthenticateUserSharing REG_DWORD 0x0
NullSessionPipes REG_MULTI_SZ
ServiceDll REG_EXPAND_SZ %SystemRoot%\system32\srvsvc.dll
ServiceDllUnloadOnStop REG_DWORD 0x1
autodisconnect REG_DWORD 0xf
enableforcedlogoff REG_DWORD 0x1
enablesecuritysignature REG_DWORD 0x0
requiresecuritysignature REG_DWORD 0x0
restrictnullsessaccess REG_DWORD 0x1
NullSessionShares REG_MULTI_SZ test1
RejectUnencryptedAccess REG_DWORD 0x1
Guid REG_BINARY A8BD872570049045A692E9384049A8D1
答案1
您需要在组策略中启用该功能。
Network access: Let Everyone permissions apply to anonymous users
在
计算机配置\Windows 设置\安全设置\本地策略\安全选项
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\EveryoneIncludesAnonymous匿名令牌不包含 Everyone 组 SID,除非通过将注册表值设置为 DWORD=1 来覆盖系统默认值。