Disable SMB NULL on Windows 2012

Last Monday we got our PCI penetration test back from our PCI auditor. They have exploited a vulnerability for SMB NULL share on a domain controller.

On Windows 2008 Server is was easy.  You made a couple registry changes and everything was good.

Here are the  Windows 2008 registry changes.

HKEYSYSTEMCurrentControlSetControlLsa:

RestrictAnonymous = 1

Restrict AnonymousSAM = 1

EveryoneIncludesAnonymous = 0

HKLMSYSTEMCurrentControlSetServicesLanmanServerParameters:

RestrictNullSessAccess = 1

Making those changes will stop Windows 2008 SMB NULL shares.

These setting do not help with Windows 2012.  So I started to pull my hair out.  Twelve hours later I had a couple setting changes that I needed to try.0

The following settings are GPO setting only for my domain controllers. These setting were tested in a live environment. I wish I has time to test before I deployed. But as you know “testing environments are for squares”.

Computer ConfigurationPoliciesWindows SettingsSecuritySettingsLocal PoliciesSecurityOptions

– Network access: Allow anonymous SID/Name translation (disable)
– Network access: Do not allow anonymous enumeration of SAM accounts (enable)
– Network access: Do not allow anonymous enumeration of SAM accounts and shares (enable)
– Network access: Let Everyone permissions apply to anonymous users (disable)

gpudate /force

Still no luck.

Ok phase two. I figured that I would be working all weekend if these GPO changes failed or corrupted my AD.

I crossed my fingers as I change these last two GPOs.

– Network access: Named Pipes that can be accessed anonymously (none)
– Network access: Shares that can be accessed anonymously (none)

I closed the GPO setting box and waited.  Test the system and to my surprise NULL SMB sessions were gone. I waited for the phone to ring because I knew it was too good to be true.

I am still waiting for the phone to ring.