Net Cease - Hardening Net Session Enumeration

When testing on Windows 10 1803 the default ACL seems to be more restrictive than that applied by this script, and so in some scenarios this script may actually reduce system security?

The default system ACL is:
O:SYG:SYD:(A;;CCDCRPSDRCWDWO;;;BA)(A;;CCDCRPSDRCWDWO;;;SO)(A;;CCDCRPSDRCWDWO;;;PU)(A;;CC;;;IU)(A;;CC;;;SU)(A;;CC;;;S-1-5-3)

The script applies the following (reordered some elements for ease of comparison):
O:SYG:SYD:(A;;CCDCRPSDRCWDWO;;;BA)(A;;CCDCRPSDRCWDWO;;;SO)(A;;CCDCRPSDRCWDWO;;;PU)(A;;FA;;;IU)(A;;FA;;;SU)(A;;FA;;;S-1-5-3)

The effect is that the three service accounts (INTERACTIVE USER, SERVICE, BATCH) are granted Full Access while by default they only have the ListDirectory privilege.

I also tested on Windows Server 2016. I didn't record my precise results but from memory the default ACL granted ListDirectory to Authenticated Users instead of the three service accounts. So while NetCease will stop any authenticated user from enumerating active sessions it's still granting more privileges than are necessary to the service accounts. I'm not clear what the practical implications of that are.

Requesting that this script be reviewed and updated as presently it's reducing system security in some configurations.

All testing performed using NetCease 1.0.3 obtained via PSGallery. The version attached here seems to be slightly older and identifies as 1.0.2.

Thanks for this release Itai,

Is there a corresponding event ID for finding failed enumerations? After applying netcease, I've ran many failed attempts, just can't find any events.

Thank you.

It is mentioned in the description, that the script could be used on the domain controllers and/or file servers in a domain. Would it make any sense to target it to all servers and computers too?

yes, since any computer might have (SMB) sessions of remote users. Attackers can query all domain computers for those sessions and gather information on logged on users in that domain.

Can we run this command on Windows 2000, 2003 and XP?

I didn't try it on Win2K/2003/XP, please let me know if you did and succeeded.

What is the access granted for the value 0x001f01ff?  

When I look at the existing/default access rules for the registry value on a computer, it is:  

SID: S-1-5-11 AccesMask: 1 WellKnown: AuthenticatedUserSid  
SID: S-1-5-32-544 AccesMask: 983059 WellKnown: BuiltinAdministratorsSid  
SID: S-1-5-32-547 AccesMask: 983059 WellKnown: BuiltinPowerUsersSid  
SID: S-1-5-32-549 AccesMask: 983059 WellKnown: BuiltinSystemOperatorsSid  

1 and 983059 are both valid values of the RegistryRights enum. 

1: QueryValues  
983059: QueryValues | SetValue | Notify | Delete | ReadPermissions | ChangePermissions | TakeOwnership  

What access is granted for 0x001f01ff? 

Hi Greg, thanks for your reply. I've changed the value to the AccessMask of AuthenticatedUserSid

Dear Itai or other beloved friends,

Somehow, we have a complex environment in that case, how can we revert this change? 

Read the script and you will know :-)

Hi Rohit, please see the new registry value named "SrvsvcSessionInfoBackup" that was created by this script. It contains your original SrvsvcSessionInfo value, and both located under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\DefaultSecurity.