Registry Search

(imported topic written by AGOTAY)

I create a new fixlet to change/create the followings registry keys to remediate the
Microsoft Windows SMB NULL Session Authentication Vulnerability
. I tested and it works fine in a lab environment. But I will like to know on what Windows computers is really necesary to deploy the fix.

This are the REG keys necesarry to apply

  • regset “[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]” “restrictanonymous”=dword:00000001
  • regset “[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\LanmanServer\Parameters]” “restrictnullsessaccess”=dword:00000001
  • regset “[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\LanmanServer\Parameters]” “NullSessionPipes”=hex(7):00,00

I was reading some topics about something like this but I need a litter help to finish the setup.

This is what I have:

  • exists value “1” of key “HKLM\SYSTEM\CurrentControlSet\SControl\Lsa\restrictanonymous” of registry
  • exists value “1” of key “HKLM\SYSTEM\CurrentControlSet\services\LanmanServer\Parameters\restrictnullsessaccess” of registry

Any help will be appreciate.

Regards,

AGOTAY

(imported comment written by NivS)

Hi Agotay,

One way I found to make it work is this:

(((value “restrictanonymous” of key “HKLM\SYSTEM\CurrentControlSet\Control\Lsa” of registry) as string) != “1”)

This will be true to computers whose restrictanonymous value is not 1.

Regards,

Niv

(imported comment written by AGOTAY)

Thanks NivS, it seems to be working…

Regards,

AGOTAY