samba - Oct 2002 - Prevent NULL Session

I have a couple of Samba (2.0.7 & 2.2.0) servers I scanned with Nessus and
they reported a security hole of "Possible to login to the remote host
using
a NULL session" I have a couple of NT servers I disabled with a registry
edit. Is there a way to prevent this on the Samba servers or is it evan a
valid issue?

Thanks

Mike

M Maki wrote:
> 
> I have a couple of Samba (2.0.7 & 2.2.0) servers I scanned with Nessus
and
> they reported a security hole of "Possible to login to the remote host
using
> a NULL session" I have a couple of NT servers I disabled with a
registry
> edit. Is there a way to prevent this on the Samba servers or is it evan a
> valid issue?
Samba HEAD starts to add some of this, but the manpage is compleatly
inaccurate...

Set 'restrict anonymous = 1' should get you the start.

I'm looking into how to best implement 'restrict anonymous = 2'.

In the meantime, if you set 'auth methods = sam' (for standalone
servers) then it will skip the 'guest' module, and deny all anonymous
connections.  However, this will break browsing and other services.

Andrew Bartlett

-- 
Andrew Bartlett                                 abartlet@pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet@samba.org
Student Network Administrator, Hawker College   abartlet@hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net