PRB: Access Denied When Opening a Named Pipe from a Service (126645)


The information in this article applies to:

  • Microsoft Win32 Application Programming Interface (API), when used with:
    • the operating system: Microsoft Windows NT 3.5
    • the operating system: Microsoft Windows NT 3.51
    • the operating system: Microsoft Windows NT 4.0
    • the operating system: Microsoft Windows 2000
    • the operating system: Microsoft Windows XP
This article was previously published under Q126645

SYMPTOMS

If a service running in the Local System account attempts to open a named pipe on a computer running Windows NT version 3.5 or later, the operation may fail with an Access Denied error (error 5). This can happen even if the pipe was created with a NULL DACL.

CAUSE

In Windows NT version 3.1, a process running in the Local System account could connect to a resource using a Null Session. For security reasons, use of the Null Session is restricted by default on Windows NT version 3.5 or later.

RESOLUTION

You can allow access to a named pipe using the Null Session by adding the pipe name to the following registry entry on the machine that creates the named pipe: 
   \HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\ 
      Parameters\NullSessionPipes
The pipe name added to this entry is the name after the last backslash in the string used to open the pipe. For example, if you use the following string to open the pipe: 
   \\hardknox\pipe\mypipe
you would add mypipe to the NullSessionPipes entry on the computer named hardknox.

You must either reboot or restart (stop and then start) the Server service for changes in this entry to take effect. Also, the named pipe will still need to have a NULL DACL.

In Windows NT 3.51 and later, by customer request, it is no longer necessary to reboot. Once a named pipe is added to the key listed above, null-session connections to that pipe will immediately be accessible.

This new functionality allows programs to permit null session access to named pipes that do not have names known prior to booting the system.

MORE INFORMATION

Usually, when a session is established between a computer supplying a resource (server) and a computer that wants to use the resource (client), the client is identified and credentials are verified. When a Null Session is used, there is no validation of the client; everyone is allowed access.

If you allow a pipe to be used by a Null Session, you should either:

  • Verify that the data supplied by the pipe is truly public.

    -or-
  • Use an alternative method for verifying clients.

REFERENCES

The "Windows NT Registry Entries" Help file in the Windows NT version 3.5 Resource Kit.
Modification Type:MajorLast Reviewed:3/16/2004
Keywords:kbACL kbAPI kbKernBase kbprb kbSecurity kbService KB126645
©2004 Microsoft Corporation. All rights reserved.