Azure Security Centre - Can't get rid of 90044-Allowed Null Session recommendation

2.2k views Asked by At

I have 8 different Windows Server 2016 and 2019 Virtual Machines in one of my Azure subscriptions.

Of these, 7 of them report a fail on the 90044-Allowed Null Session check in Azure Security Centre as shown here:

enter image description here

The CVE links go to information that is either unrelated or so ridiculously out of date it's older than Methuselah.

When following the links in the 'Remediation' section, the first one goes 404 and the second one take me to an eons-old Server 2000 Documentation link that recommends setting a specific Registry entry. This setting is already present and configured as recommended by default.

I've done some Googling around and found this Windows 10 link which has instructions on configuring the setting in GP, again this is configured as recommended on all VMs. Also found this from Blumira which has a more detailed run down of additional Registry and Group Policy settings that should be applied. I can confirm that all servers are configured as per the recommendations here as well.

So my question is on what criteria is this recommendation appearing, and how so I configure my VMs to satisfy the requirements of this recommendation?

Any help would be very greatly appreciated, this is making a significant dent in my ASC score (6 points, or -10%)

2

There are 2 answers

0
Chris Butler On BEST ANSWER

I have found the answer to this, there is a registry entry that was not set as required on the affected machines:

HKLM\System\CurrentControlSet\Control\Lsa\RestrictAnonymous

This is defaulted to '0' on all affected VMs, set this to '1' (Null sessions can not be used to enumerate shares) and the machines will then pass the requirements for the check.

Any/all other settings to pass this check appear to be as required by default on the standard Windows Server 2016/2019 images used in Azure.

2
Ansuman Bal On

You can use Group Policy to control this setting Network access: Restrict anonymous access to Named Pipes and Shares security policy setting.

Reference: https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-access-restrict-anonymous-access-to-named-pipes-and-shares