How to enable null session shares on a Windows 2000-based computer

Article translations Article translations
Article ID: 289655 - View products that this article applies to.
This article was previously published under Q289655
Notice
This article applies to Windows 2000. Support for Windows 2000 ends on July 13, 2010. The Windows 2000 End-of-Support Solution Center is a starting point for planning your migration strategy from Windows 2000. For more information see the Microsoft Support Lifecycle Policy.
Notice
This article applies to Windows 2000. Support for Windows 2000 ends on July 13, 2010. The Windows 2000 End-of-Support Solution Center is a starting point for planning your migration strategy from Windows 2000. For more information see the Microsoft Support Lifecycle Policy.
Expand all | Collapse all

On This Page

SUMMARY

This article describes how to enable null session shares on a computer that is running Windows 2000.

More Information

When a program or service is started by using the System user account, the program or service logs on with null credentials. If that program or service attempts to access a remote Windows 2000 server resource such as a file share (using a null session), the operation may fail if the file share is not configured as a null session share, or if registry, group or policy restrictions are in effect on the server that is hosting the file share.

There are several settings that govern null session access on Windows 2000. When you configure null session shares, you must first explicitly enable null session access on shares or named pipes. To do so, modify the registry of each remote resource computer.

Warning If you configure a shared resource in this manner, the resource is not secure. Microsoft does not recommend that you use this configuration if you are considering null session security.

Enable null session shares

Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
322756 How to back up and restore the registry in Windows


To enable null session access, you must modify the registry on every cluster node:
  1. Start Registry Editor (Regedt32.exe).
  2. Locate the following key in the registry:
    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanServer\Parameters\NullSessionShares
    NOTE: NullSessionShares is a REG_MULTI_SZ value.

  3. On a new line in the NullSessionShares key, type the name of the share that you want to access with a null session (for example, public).
  4. If the program uses named pipes and requires null session support, locate the following key in the registry:
    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanServer\Parameters\NullSessionPipes
    NOTE: NullSessionPipes is a REG_MULTI_SZ value.

    On a new line in the NullSessionPipes key, type the name of the pipe that you want to access with a null session.
  5. Locate and click the following key in the registry:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA
  6. On the Edit menu, click Add Value, and then add the following registry value:
    Value Name: RestrictAnonymous
    Data Type: REG_DWORD
    Value: 0
  7. Quit Registry Editor.
  8. Restart the server.

Allow anonymous access by clients running NT 4.0 (optional)

You may need to adjust the Windows 2000 security groups and security policies to allow for anonymous access from Microsoft Windows NT 4.0 clients. To do so, use either of the following methods:
  • If you used the Active Directory Installation Wizard to create a Windows 2000-based domain by upgrading a server to a domain controller, enable the Allow pre-Windows 2000 servers to access Active Directory option.

    -or-
  • If you add a Windows NT 4.0-based client to a domain that has not been adjusted to allow pre-Windows 2000 server access, use the following command to adjust security on the Windows 2000 domain controller:
    net localgroup "pre-windows 2000 compatible access" everyone /add
    When you use this command, security can be compromised because it allows anonymous users to read information on this domain. When there are no longer any Windows NT 4.0-based clients in the domain, you can use the following command to remove legacy access:
    net localgroup "pre-windows 2000 compatible access" everyone /delete
    NOTE: You can also run the net localgroup commands on a Windows 2000 standalone or member server to permit anonymous access locally on that server.
To prevent anonymous (null) session connections, set the Additional restrictions for anonymous connections security policy that is located in Windows Settings\Security Settings\Local Policies\Security Options to No Access. When you do so, anonymous (null) session connections are prevented on the computers on which this policy is applied.

Note You must enable the guest account to let anonymous users log on. By default, this account is disabled.

REFERENCES

For more information, click the following article number to view the article in the Microsoft Knowledge Base:
132679 Local System account and null sessions in Windows NT

Properties

Article ID: 289655 - Last Review: October 31, 2006 - Revision: 6.5
APPLIES TO
  • Microsoft Windows 2000 Server SP1
  • Microsoft Windows 2000 Advanced Server SP1
  • Microsoft Windows 2000 Professional SP1
Keywords: 
kbenv kbhowtomaster KB289655

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com