May 17th, 2005, 12:30 AM
Null Sessions - explaining the risk(s) of it...
First - in case anyone was wondering, I am tasked to test the security on our servers/workstations/networks/websites, etc.
Second - my current assignment has me testing @30 servers and I am working on an explanation to a group about their security, or lack thereof, on a select number of Windows servers. One area of weakness, is that I am able to connect, by way of null sessions, to some of their servers. I have a feeling that telling them I can enumerate local administrators, users, shares, permissions, group members, etc., all without using any form of authentication, will just net me puzzled looks. I have taken snapshots of what I was able to enumerate, and will be turning that over to them, but I believe I need a real world explanation about the dangers of allowing null sessions to occur on their servers so that they will take action.
I need to tie in why the lack of security on those servers will compromise the business. Unfortunately, I do not believe I have the expertise enough to bridge between what I can do technically and provide a business like relationship to the risks, well enough expertise to explain that to a group of users/admins who may or may not understand null sessions. I welcome your input and ideas on this.
May 17th, 2005, 04:34 AM
May 17th, 2005, 02:56 PM
Well you might try the linguistic/religious approach?
"Null" comes from latin, and means blank. So a null session is not owned by a user, it is a blank user. A blank user has no constraints, he is God, and can do what he pleases.
or.............. the number theory/finance approach?
"Null" is blank, whereas zero is a defined value. Which would you rather give me a blank (null) cheque, or a cheque for zero. Because if you continue to allow null sessions you are potentially giving a wrongdoer a blank cheque.
That might work............simple enough to understand but not patronising?
May 17th, 2005, 09:56 PM
Exxxxxcelllllent! Thanks rowdy_yates and nihil for your responses. Both provide me what I need - we'll see where it goes tomorrow when I start s'plainin' to zem.
Just an FYI - the information provided by you guys helped out a lot! Thanks again. Now to write my report.