Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

CSA and SMB Null Session Alerts

Running CSA V4.5.1 B616 - We're seeing lots of alerts like the following:

TESTMODE: The process 'System' (as user NT AUTHORITY\SYSTEM) attempted to communicate with x.x.x.x on TCP port 139. The attempted access was to accept a connection as a server (operation = ACCEPT).

This is violating rule 1527 - which is attempting to block anything trying to talk via an SMB Null Session (Unauthenticated file/print sharing) - Problem is we can't "recreate" this in the lab - the process is just "system" so it's hard to pin down - remotelely browsing or attempting connections to C$ on a client with an authenicated host or not

Can anyone explain, exactly what is triggering this, and any rules that "determine" who/what system is??

Surely we're not the first to run into this, as it seems like a fairly common windows thing...


Re: CSA and SMB Null Session Alerts

Your Windows hosts are probably configured with file and print sharing enabled and may also by set to scan for shares when users open explorer.

These settings were on by default in Windows 2000 and XP. As long as your are blocking this you should be fine. We turned these off on our machines but we still block it with CSA unless needed.

You may also note that rules in test mode will generate alerts on the MC even though they are set not to log. You may find other rules that are set to block this and not log it because it is so prevalent.

Tom S

New Member

Re: CSA and SMB Null Session Alerts

I know it's somewhat bad form to reply to one's own post - But perhaps someone else is struggling with a similiar issue..

Anyways, we tried every "possibility" related around file & print shares as it pertained to "Null Sessions" (authenicated in domain, authenticated locally, not authenicated, etc) and could NEVER get this to be repeatable in a "lab" enviroment..

Turns out, these TCP/139 alerts were NOT related to File/Print sharing - Actually their we're all related to the "Computer Browser" service - You can read lots from MS, about where a domain and master browser server need to be - but in the Win2K & WinNT clients, this service was enabled by default.. Disable this service (on the clients - we have a well defined Browse Master chosen on each segement as well as the Domain controller) - Seems other servers (with CSA and the Computer Browser service runinng) are sending out broadcasts, which "attract" other browser clients..

Bottom line, we've made some focused efforts on disabling the "Computer Browser" service on clients with CSA, and nearly all of this "Null Session" TCP/139 alerts are gone..

File and print sharing can cause these alerts, but it typically was NOT under Null sessions, and under these cases it was fairly clear as to the cause, trigger, etc..

Hope this helps someone else down the road.. TCP/139 NAC violations will Null sessions - Check your "Computer Browser" Settings and do some homework in your client browser configs..


Re: CSA and SMB Null Session Alerts

Not bad form at all especially when you shed some better light on the problem. I was way off anyway with the port. Ports 137-9 are NBT related where 445 is SMB. Must have been sleeping...

We saw a lot of things that we never knew were lurking under the surface of our network when we first deployed CSA back in 2003.

As a result have changed how we deploy machines and turning off File and Print Sharing, Computer Browser, , Messenger, SSDP and several other services that were enabled by default has made it a much more quiet (and secure IMHO) network.

Tom S

CreatePlease login to create content