I have just setup a fresh standalone Windows 2019 Server (Core) in a lab environment (i.e. for my own learning). In part, this is because I was interested in looking into null session configurations from a security perspective.
While doing this, I created a share that I intended to have write access from a null session. However, I am only able to get read access to that share, even when the ANONYMOUS LOGON
is granted full access to both the share and shared directory ACLs.
I have noticed, when setting EveryoneIncludesAnonymous
registry to 1
, I do get write access, however I dont understand why this is needed as I have explicitly already given ANONYMOUS LOGON
full access.
Is there some additional check that is in-place I have missed? Any help would be appreciated in understanding this.
See command outputs below to see my configuration:
PS C:\Users\Administrator> Get-SmbShare -Name test1
Name ScopeName Path Description
---- --------- ---- -----------
test1 * C:\inetpub\wwwroot\test1 anon share in iis root for testing
PS C:\Users\Administrator> Get-SmbShareAccess -Name test1
Name ScopeName AccountName AccessControlType AccessRight
---- --------- ----------- ----------------- -----------
test1 * NT AUTHORITY\ANONYMOUS LOGON Allow Full
test1 * Everyone Allow Full
PS C:\Users\Administrator> Get-Acl C:\inetpub\wwwroot\test1\ | Format-List -Property Owner,AccessToString
Owner : NT AUTHORITY\ANONYMOUS LOGON
AccessToString : NT AUTHORITY\ANONYMOUS LOGON Allow FullControl
BUILTIN\IIS_IUSRS Allow ReadAndExecute, Synchronize
BUILTIN\IIS_IUSRS Allow -1610612736
NT SERVICE\TrustedInstaller Allow FullControl
NT SERVICE\TrustedInstaller Allow 268435456
NT AUTHORITY\SYSTEM Allow FullControl
NT AUTHORITY\SYSTEM Allow 268435456
BUILTIN\Administrators Allow FullControl
BUILTIN\Administrators Allow 268435456
BUILTIN\Users Allow ReadAndExecute, Synchronize
BUILTIN\Users Allow -1610612736
NT AUTHORITY\ANONYMOUS LOGON Allow FullControl
CREATOR OWNER Allow 268435456
PS C:\Users\Administrator> reg query HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa /v everyoneincludesanonymous
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
everyoneincludesanonymous REG_DWORD 0x0
Then trying to copy file to the share fails:
$ smbclient -U '%' '\\192.168.56.20\test1'
Try "help" to get a list of possible commands.
smb: \> dir
. D 0 Fri Feb 28 08:21:29 2020
.. D 0 Fri Feb 28 08:21:29 2020
somefile.txt A 22 Fri Feb 28 08:21:09 2020
8247551 blocks of size 4096. 6341661 blocks available
smb: \> put test
NT_STATUS_ACCESS_DENIED opening remote file \test
After setting EveryoneIncludeAnonymous
to 0x1
it works. To me, this suggests there is some additional check performed by the LanManServer
, but I dont know where.
$ smbclient -U '%' '\\192.168.56.20\test1'
Try "help" to get a list of possible commands.
smb: \> put test
putting file test as \test (0.3 kb/s) (average 0.3 kb/s)
EDIT (Update with registry values)
C:\Windows\system32>reg query hklm\system\currentcontrolset\control\lsa\
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
auditbasedirectories REG_DWORD 0x0
auditbaseobjects REG_DWORD 0x0
Bounds REG_BINARY 0030000000200000
crashonauditfail REG_DWORD 0x0
fullprivilegeauditing REG_BINARY 00
LimitBlankPasswordUse REG_DWORD 0x1
NoLmHash REG_DWORD 0x1
Security Packages REG_MULTI_SZ ""
Notification Packages REG_MULTI_SZ scecli
Authentication Packages REG_MULTI_SZ msv1_0
SecureBoot REG_DWORD 0x1
LsaPid REG_DWORD 0x260
LsaCfgFlagsDefault REG_DWORD 0x0
ProductType REG_DWORD 0x7
disabledomaincreds REG_DWORD 0x0
everyoneincludesanonymous REG_DWORD 0x1
forceguest REG_DWORD 0x0
restrictanonymous REG_DWORD 0x0
restrictanonymoussam REG_DWORD 0x1
C:\Windows\system32>reg query hklm\system\currentcontrolset\services\lanmanserver\parameters
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\lanmanserver\parameters
EnableAuthenticateUserSharing REG_DWORD 0x0
NullSessionPipes REG_MULTI_SZ
ServiceDll REG_EXPAND_SZ %SystemRoot%\system32\srvsvc.dll
ServiceDllUnloadOnStop REG_DWORD 0x1
autodisconnect REG_DWORD 0xf
enableforcedlogoff REG_DWORD 0x1
enablesecuritysignature REG_DWORD 0x0
requiresecuritysignature REG_DWORD 0x0
restrictnullsessaccess REG_DWORD 0x1
NullSessionShares REG_MULTI_SZ test1
RejectUnencryptedAccess REG_DWORD 0x1
Guid REG_BINARY A8BD872570049045A692E9384049A8D1