How to enable null session shares on a Windows 2000-based computer (289655)


The information in this article applies to:

  • Microsoft Windows 2000 Server SP1
  • Microsoft Windows 2000 Advanced Server SP1
  • Microsoft Windows 2000 Professional SP1
This article was previously published under Q289655

IN THIS TASK

Important This article contains information about how to modify the registry. Make sure to back up the registry before you modify it. Make sure that you know how to restore the registry if a problem occurs. For information about how to back up, restore, and modify the registry, click the following article number to view the article in the Microsoft Knowledge Base:

256986 Description of the Microsoft Windows registry

SUMMARY

This article describes how to enable null session shares on a computer that is running Windows 2000.

More Information

When a program or service is started by using the System user account, the program or service logs on with null credentials. If that program or service attempts to access a remote Windows 2000 server resource such as a file share (using a null session), the operation may fail if the file share is not configured as a null session share, or if registry, group or policy restrictions are in effect on the server that is hosting the file share.

There are several settings that govern null session access on Windows 2000. When you configure null session shares, you must first explicitly enable null session access on shares or named pipes. To do so, modify the registry of each remote resource computer.

Warning If you configure a shared resource in this manner, the resource is not secure. Microsoft does not recommend that you use this configuration if you are considering null session security.

back to the top

Enable null session shares

Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall your operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.

To enable null session access, you must modify the registry on every cluster node:
  1. Start Registry Editor (Regedt32.exe).
  2. Locate the following key in the registry:

    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanServer\Parameters\NullSessionShares

    NOTE: NullSessionShares is a REG_MULTI_SZ value.

  3. On a new line in the NullSessionShares key, type the name of the share that you want to access with a null session (for example, public).
  4. If the program uses named pipes and requires null session support, locate the following key in the registry:

    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanServer\Parameters\NullSessionPipes

    NOTE: NullSessionPipes is a REG_MULTI_SZ value.

    On a new line in the NullSessionPipes key, type the name of the pipe that you want to access with a null session.
  5. Locate and click the following key in the registry:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA

  6. On the Edit menu, click Add Value, and then add the following registry value:

    Value Name: RestrictAnonymous
    Data Type: REG_DWORD
    Value: 0

  7. Quit Registry Editor.
  8. Restart the server.
back to the top

Allow anonymous access by clients running NT 4.0 (optional)

You may need to adjust the Windows 2000 security groups and security policies to allow for anonymous access from Microsoft Windows NT 4.0 clients. To do so, use either of the following methods:
  • If you used the Active Directory Installation Wizard to create a Windows 2000-based domain by upgrading a server to a domain controller, enable the Allow pre-Windows 2000 servers to access Active Directory option.

    -or-
  • If you add a Windows NT 4.0-based client to a domain that has not been adjusted to allow pre-Windows 2000 server access, use the following command to adjust security on the Windows 2000 domain controller:

    net localgroup "pre-windows 2000 compatible access" everyone /add

    When you use this command, security can be compromised because it allows anonymous users to read information on this domain. When there are no longer any Windows NT 4.0-based clients in the domain, you can use the following command to remove legacy access:

    net localgroup "pre-windows 2000 compatible access" everyone /delete

    NOTE: You can also run the net localgroup commands on a Windows 2000 standalone or member server to permit anonymous access locally on that server.
To prevent anonymous (null) session connections, set the Additional restrictions for anonymous connections security policy that is located in Windows Settings\Security Settings\Local Policies\Security Options to No Access. When you do so, anonymous (null) session connections are prevented on the computers on which this policy is applied.

Note You must enable the guest account to let anonymous users log on. By default, this account is disabled.

back to the top

REFERENCES

For more information, click the following article number to view the article in the Microsoft Knowledge Base:

132679 Local System account and null sessions in Windows NT

back to the top
Modification Type:MajorLast Reviewed:10/5/2005
Keywords:kbenv kbHOWTOmaster KB289655 kbAudITPro
©2004 Microsoft Corporation. All rights reserved.