|
Windows NT version 4.0 Service Pack 3 includes a security enhancement that restricts anonymous (null session) logons when they connect to specific named pipes including the one for Registry.
There is a registry key value that defines the list of named pipes that are “exempt” from this restriction. The key value is:
Hive:
|
HKEY_LOCAL_MACHINE\SYSTEM
|
Key:
|
System\CurrentControlSet\Services\LanManServer\Parameters
|
Name:
|
NullSessionPipes
|
Type:
|
REG_MULTI_SZ
|
Value:
|
Add or Remove names from the list as required by the configuration.
|
Please refer to Knowledge Base article Q143138 for more details.
Restricting Anonymous network access to lookup account names and network shares
|
Completed
|
Not implemented
|
Not applicable
|
STATUS
|
|
|
|
Windows NT has a feature where anonymous logon users can list domain user names and enumerate share names. Customers who want enhanced security have requested the ability to optionally restrict this functionality. Windows NT 4.0 Service Pack 3 and a hotfix for Windows NT 3.51 provide a mechanism for administrators to restrict the ability for anonymous logon users (also known as NULL session connections) to list account names and enumerate share names. Listing account names from Domain Controllers is required by the Windows NT ACL editor, for example, to obtain the list of users and groups to select who a user wants to grant access rights. Listing account names is also used by Windows NT Explorer to select from list of users and groups to grant access to a share.
The registry key value to set for enabling this feature is:
Hive:
|
HKEY_LOCAL_MACHINE\SYSTEM
|
Key:
|
System\CurrentControlSet\Control\LSA
|
Name:
|
RestrictAnonymous
|
Type:
|
REG_DWORD
|
Value:
|
1.
|
This enhancement is part of Windows NT version 4.0 Service Pack 3. A hot fix for it is also provided for Windows NT version 3.51. Please refer to Knowledge Base article Q143474 for more details on this.
|
Completed
|
Not implemented
|
Not applicable
|
STATUS
|
|
|
|
Windows NT 4.0 Service Pack 2 and later includes a password filter DLL file (Passfilt.dll) that lets you enforce stronger password requirements for users. Passfilt.dll provides enhanced security against "password guessing" or "dictionary attacks" by outside intruders.
Passfilt.dll implements the following password policy:
Passwords must be at least six (6) characters long. (The minimum password length can be increased further by setting a higher value in the Password Policy for the domain).
Passwords must contain characters from at least three (3) of the following four (4) classes:
Description Examples
English upper case letters A, B, C, ... Z
English lower case letters a, b, c, ... z
Westernized Arabic numerals 0, 1, 2, ... 9
Non-alphanumeric ("special characters") such as punctuation symbols
Passwords may not contain your user name or any part of your full name.
These requirements are hard-coded in the Passfilt.dll file and cannot be changed through the user interface or registry. If you wish to raise or lower these requirements, you may write your own .dll and implement it in the same fashion as the Microsoft version that is available with Windows NT 4.0 Service Pack 2.
To use Passfilt.Dll, the administrator must configure the password filter DLL in the system registry on all domain controllers. This can be done as follows with the following registry key value:
Hive:
|
HKEY_LOCAL_MACHINE\SYSTEM
|
Key:
|
System\CurrentControlSet\Control\LSA
|
Name:
|
Notification Packages
|
Type:
|
REG_MULTI_SZ
|
Value:
|
Add string “PASSFILT” (do not remove existing ones).
|
| 