Net Cease - Hardening Net Session Enumeration

“Net Cease” tool is a short PowerShell (PS) script which alters Net Session Enumeration (NetSessionEnum) default permissions. This hardening process prevents attackers from easily getting some valuable recon information to move laterally within their victim's network.

NetCease.zip
 
 
 
 
 
4.5 Star
(10)
21,612 times
Add to favorites
Security
12/11/2016
E-mail Twitter del.icio.us Digg Facebook
Sign in to ask a question


  • Extra permissions being granted
    1 Posts | Last post April 01, 2019
    • When testing on Windows 10 1803 the default ACL seems to be more restrictive than that applied by this script, and so in some scenarios this script may actually reduce system security?
      
      The default system ACL is:
      O:SYG:SYD:(A;;CCDCRPSDRCWDWO;;;BA)(A;;CCDCRPSDRCWDWO;;;SO)(A;;CCDCRPSDRCWDWO;;;PU)(A;;CC;;;IU)(A;;CC;;;SU)(A;;CC;;;S-1-5-3)
      
      The script applies the following (reordered some elements for ease of comparison):
      O:SYG:SYD:(A;;CCDCRPSDRCWDWO;;;BA)(A;;CCDCRPSDRCWDWO;;;SO)(A;;CCDCRPSDRCWDWO;;;PU)(A;;FA;;;IU)(A;;FA;;;SU)(A;;FA;;;S-1-5-3)
      
      The effect is that the three service accounts (INTERACTIVE USER, SERVICE, BATCH) are granted Full Access while by default they only have the ListDirectory privilege.
      
      I also tested on Windows Server 2016. I didn't record my precise results but from memory the default ACL granted ListDirectory to Authenticated Users instead of the three service accounts. So while NetCease will stop any authenticated user from enumerating active sessions it's still granting more privileges than are necessary to the service accounts. I'm not clear what the practical implications of that are.
      
      Requesting that this script be reviewed and updated as presently it's reducing system security in some configurations.
      
      All testing performed using NetCease 1.0.3 obtained via PSGallery. The version attached here seems to be slightly older and identifies as 1.0.2.
  • coresponding event id?
    1 Posts | Last post June 27, 2017
    • Thanks for this release Itai,
      
      Is there a corresponding event ID for finding failed enumerations? After applying netcease, I've ran many failed attempts, just can't find any events.
      
      Thank you.
  • Target for this script
    2 Posts | Last post December 07, 2016
    • It is mentioned in the description, that the script could be used on the domain controllers and/or file servers in a domain. Would it make any sense to target it to all servers and computers too?
    • yes, since any computer might have (SMB) sessions of remote users. Attackers can query all domain computers for those sessions and gather information on logged on users in that domain.
  • Can we run this command on Windows 2000, 2003 and XP?
    2 Posts | Last post November 01, 2016
    • Can we run this command on Windows 2000, 2003 and XP?
    • I didn't try it on Win2K/2003/XP, please let me know if you did and succeeded.
  • AccessMask
    2 Posts | Last post October 19, 2016
    • What is the access granted for the value 0x001f01ff?  
      
      When I look at the existing/default access rules for the registry value on a computer, it is:  
      
      SID: S-1-5-11 AccesMask: 1 WellKnown: AuthenticatedUserSid  
      SID: S-1-5-32-544 AccesMask: 983059 WellKnown: BuiltinAdministratorsSid  
      SID: S-1-5-32-547 AccesMask: 983059 WellKnown: BuiltinPowerUsersSid  
      SID: S-1-5-32-549 AccesMask: 983059 WellKnown: BuiltinSystemOperatorsSid  
      
      1 and 983059 are both valid values of the RegistryRights enum. 
      
      1: QueryValues  
      983059: QueryValues | SetValue | Notify | Delete | ReadPermissions | ChangePermissions | TakeOwnership  
      
      What access is granted for 0x001f01ff? 
    • Hi Greg, thanks for your reply. I've changed the value to the AccessMask of AuthenticatedUserSid
  • What is the roll back strategy?
    3 Posts | Last post October 19, 2016
    • Dear Itai or other beloved friends,
      
      Somehow, we have a complex environment in that case, how can we revert this change? 
    • Read the script and you will know :-)
    • Hi Rohit, please see the new registry value named "SrvsvcSessionInfoBackup" that was created by this script. It contains your original SrvsvcSessionInfo value, and both located under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\DefaultSecurity.