Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
634
Views
8
Helpful
3
Replies

CSA and SMB Null Session Alerts

acciai_gf
Level 1
Level 1

‎07-27-2006 02:28 PM - edited ‎03-09-2019 03:43 PM

Running CSA V4.5.1 B616 - We're seeing lots of alerts like the following:

TESTMODE: The process 'System' (as user NT AUTHORITY\SYSTEM) attempted to communicate with x.x.x.x on TCP port 139. The attempted access was to accept a connection as a server (operation = ACCEPT).

This is violating rule 1527 - which is attempting to block anything trying to talk via an SMB Null Session (Unauthenticated file/print sharing) - Problem is we can't "recreate" this in the lab - the process is just "system" so it's hard to pin down - remotelely browsing or attempting connections to C$ on a client with an authenicated host or not

Can anyone explain, exactly what is triggering this, and any rules that "determine" who/what system is??

Surely we're not the first to run into this, as it seems like a fairly common windows thing...

Labels:
0 Helpful
3 Replies 3

tsteger1
Level 8
Level 8

‎07-28-2006 01:49 PM

Your Windows hosts are probably configured with file and print sharing enabled and may also by set to scan for shares when users open explorer.

These settings were on by default in Windows 2000 and XP. As long as your are blocking this you should be fine. We turned these off on our machines but we still block it with CSA unless needed.

You may also note that rules in test mode will generate alerts on the MC even though they are set not to log. You may find other rules that are set to block this and not log it because it is so prevalent.

Tom S

0 Helpful

acciai_gf
Level 1
Level 1
In response to tsteger1

‎08-10-2006 07:17 AM

I know it's somewhat bad form to reply to one's own post - But perhaps someone else is struggling with a similiar issue..

Anyways, we tried every "possibility" related around file & print shares as it pertained to "Null Sessions" (authenicated in domain, authenticated locally, not authenicated, etc) and could NEVER get this to be repeatable in a "lab" enviroment..

Turns out, these TCP/139 alerts were NOT related to File/Print sharing - Actually their we're all related to the "Computer Browser" service - You can read lots from MS, about where a domain and master browser server need to be - but in the Win2K & WinNT clients, this service was enabled by default.. Disable this service (on the clients - we have a well defined Browse Master chosen on each segement as well as the Domain controller) - Seems other servers (with CSA and the Computer Browser service runinng) are sending out broadcasts, which "attract" other browser clients..

Bottom line, we've made some focused efforts on disabling the "Computer Browser" service on clients with CSA, and nearly all of this "Null Session" TCP/139 alerts are gone..

File and print sharing can cause these alerts, but it typically was NOT under Null sessions, and under these cases it was fairly clear as to the cause, trigger, etc..

Hope this helps someone else down the road.. TCP/139 NAC violations will Null sessions - Check your "Computer Browser" Settings and do some homework in your client browser configs..

tsteger1
Level 8
Level 8
In response to acciai_gf

‎08-10-2006 12:24 PM

Not bad form at all especially when you shed some better light on the problem. I was way off anyway with the port. Ports 137-9 are NBT related where 445 is SMB. Must have been sleeping...

We saw a lot of things that we never knew were lurking under the surface of our network when we first deployed CSA back in 2003.

As a result have changed how we deploy machines and turning off File and Print Sharing, Computer Browser, , Messenger, SSDP and several other services that were enabled by default has made it a much more quiet (and secure IMHO) network.

Tom S

Customers Also Viewed These Support Documents