Restrict access for NULL sessions

By standard it is possible for anonymous users to use NULL sessions to view:

  • Minimum Password length
  • If blank passwords are permitted
  • Maximum password age
  • Password history
  • Userlist
  • Network shares

This can be restricted by changing this DWORD in the registry:

[HKEY_LOCAL_MACHINE \SYSTEM \CurrentControlSet \Control \LSA]
RestrictAnonymous = 2 (Default = 0)

0 = None. Rely on default permissions
1 = Do not allow enumeration of SAM accounts and names (Will stop NULL session exploits)
2 = No access without explicit anonymous permissions (Win2k only)

Note if enabling this restriction it will disable guest account users from seeing Network Shares, as they will fail login with security error code : 3221225572 (Logon Failed : The username doesn’t exist)

More info MS KB143474
More info MS KB246261
More info MS KB296405
More info MS KB328459
More info MS KB837964

It is also possible to access shares using NULL sessions. For security reasons it is only possible for a set of restricted shares (Besides IPC$) specified here:

[HKEY_LOCAL_MACHINE \SYSTEM \CurrentControlSet \Services \LanmanServer \Parameters]
NullSessionPipes = “…”
NullSessionShares = “…”

[HKEY_LOCAL_MACHINE \SYSTEM \CurrentControlSet \Services \LanmanServer \Parameters]
RestrictNullSessAccess = 1 (Secure = 1, Unsecure = 0, Default = No Value; Secure)

More info MS KB122702
More info MS KB289655
More info MS KB815458
More info MS KB830070
More info MS KB896658

Windows XP/2003 introduced a new setting “Network Access: Do not allow anonymous enumeration of SAM accounts”, which disables enumerations of SAM accounts, but still allows enumerations of shares (For Simple File Sharing):

[HKEY_LOCAL_MACHINE \SYSTEM \CurrentControlSet \Control \LSA]
RestrictAnonymousSAM = 1 (Default = 1)

More info MS KB328459

Windows XP/2003 introduced a new setting “Network access: Let Everyone permissions apply to anonymous users”, which enforces that all rights given to the Everyone-group (authenticated users) are not automatically given to the Anonymous Logon security group. Before Windows XP the Everyone-group included both authenticated users and anonymous users:

[HKEY_LOCAL_MACHINE \SYSTEM \CurrentControlSet \Control \LSA]
EveryoneIncludesAnonymous = 0 (Default = 0)

More info MS KB278259

Related Using NULL sessions to access this information

More info MS KB823659
More info MS KB889030