- Minimum Password length
- If blank passwords are permitted
- Maximum password age
- Password history
- Userlist
- Network shares
It is also possible to access shares using NULL sessions. For security reasons it is only possible for a set of restricted shares (Besides IPC$) specified here:[HKEY_LOCAL_MACHINE \SYSTEM \CurrentControlSet \Control \LSA]
RestrictAnonymous = 2 (Default = 0)
0 = None. Rely on default permissions
1 = Do not allow enumeration of SAM accounts and names (Will stop NULL session exploits)
2 = No access without explicit anonymous permissions (Win2k only)
Note if enabling this restriction it will disable guest account users from seeing Network Shares, as they will fail login with security error code : 3221225572 (Logon Failed : The username doesn't exist)
More info MS KB143474
More info MS KB246261
More info MS KB296405
More info MS KB328459
More info MS KB837964
Windows XP/2003 introduced a new setting "Network Access: Do not allow anonymous enumeration of SAM accounts", which disables enumerations of SAM accounts, but still allows enumerations of shares (For Simple File Sharing):[HKEY_LOCAL_MACHINE \SYSTEM \CurrentControlSet \Services \LanmanServer \Parameters]
NullSessionPipes = "..."
NullSessionShares = "..."
[HKEY_LOCAL_MACHINE \SYSTEM \CurrentControlSet \Services \LanmanServer \Parameters]
RestrictNullSessAccess = 1 (Secure = 1, Unsecure = 0, Default = No Value; Secure)
More info MS KB122702
More info MS KB289655
More info MS KB815458
More info MS KB830070
More info MS KB896658
Windows XP/2003 introduced a new setting "Network access: Let Everyone permissions apply to anonymous users", which enforces that all rights given to the Everyone-group (authenticated users) are not automatically given to the Anonymous Logon security group. Before Windows XP the Everyone-group included both authenticated users and anonymous users:[HKEY_LOCAL_MACHINE \SYSTEM \CurrentControlSet \Control \LSA]
RestrictAnonymousSAM = 1 (Default = 1)
More info MS KB328459
Related Using NULL sessions to access this information[HKEY_LOCAL_MACHINE \SYSTEM \CurrentControlSet \Control \LSA]
EveryoneIncludesAnonymous = 0 (Default = 0)
More info MS KB278259
More info MS KB823659
More info MS KB889030
I've tried to set both the restrictAnonymous and restrictAnonymous but yet the problem is still there. Further to this, I also
Create Key Name:
RestrictNullSessAccess Reg_Dword set to �1� (Decimal)
Restrict Null Session Access over Named Pipes and Shares
By default the entries are:
NullSessionPipes NullSessionShares
COMNAP COMCFG
COMNODE DFS$
SQL\QUERY
SPOOLSS
EPMAPPER
LOCATOR
TrkWks
Navigate to the following registry key:
HKLM\System\CurrentControlSet\Services\LanmanServer\Parameters
Value Name: NullSessionPipes
NullSessionShares
Use Regedt32, Edit, Multistring and remove all entries from the 2 values
Do you have any idea? I'm running on WIndows XP
What kind of "problem" are you experiencing ?
Are you using simple filesharing ?
Remember that the group policy "Network access: Do not allow anonymous enumeration of SAM accounts and shares" will configure the RestrictAnonymous registry setting at start up.