Troubleshooting Server Message Block inbound connection limit in Windows peer-to-peer workgroup

In a peer-to-peer workgroup, when you try to connect to the network resources of a computer that is running any of the products listed at the beginning of this article, you may receive one of the following error messages:

This problem occurs when a computer reaches the maximum number of host connections that are allowed. In this case, when a NULL session connection is generated in the Microsoft Windows 2000 client, this NULL session connection is counted as one session on the Microsoft Windows XP-based server. Therefore, the error messages occur that are mentioned in this "Symptom" section, even if the number of connections to computers do not exceed the limit.

In addition, when multiple NULL sessions are generated from a single Windows 2000 client computer, the multiple NULL sessions are counted as multiple sessions. However, a NULL session appears as a single session when you run the net session command. In this case, when the RestrictAnonymous registry entry is set, and the NULL session connection is rejected, this symptom still occurs.

Notes

• For Windows XP Professional-based computers, the maximum number of concurrent network connections that are allowed is 10. This limit includes all transfer and all resource share protocols. For Windows XP Home Edition-based computers, the maximum number of concurrent network connections that are allowed is 5. This limit is the number of sessions that can be hosted at the same time from other computers. Therefore, we cannot use the administrative tool usage to connect to the system from a remote computer.

• When multiple NULL sessions are connected from a single computer, each one of them is counted.
• Only one IPC$ can be checked by using the net session command. For example, when a single Windows 2000-based computer tries to use multiple IPC$ sessions, only one single IPC$ session can be used at a time.
• RestrictAnonymous is not valid for this resolution.

A Windows client workstation may have opened a pipe connection to the named pipe \PIPE\spoolss on either a print server or a workstation that has a shared printer. This typically occurs when you start a program (such as Microsoft Word) that queries printers, or if you open the Printers folder in Control Panel. Printer spooling on both the client and the server will open a handle related to this connection.
A Remote Procedure Call (RPC) requires one named pipe instance for every active RPC call (like OpenPrinter). If an OpenPrinter call stops responding, RPC keeps open the named pipe connection. RPC does not disconnect this connection until the context handle (that is OpenPrinters) has been closed.

If both the following conditions are true, you may open an anonymous connection (also known as null session connection) that never closes to the named pipe \PIPE\spoolss on the workstation that acts as the server in your peer to peer network:

• Your client has connected a shared printer on the computer that acts as a 'print server'.
• You have set up a local shared printer on one or more clients.

Use one of the following methods to restrict null session connections on your workstation that is acting as a print server. The preferred method is the first one.

Method 1

Disable null session connections on the Windows computer that exceeds its incoming connection limit and shows some additional null session connections either by using the Group Policy GUI or by setting a registry key.

Using the Group Policy User Interface (Local Security Policy MMC Snap-In)

1. Click Start, point to Programs, point to Administrative Tools, and then click Local Security Policy.
   
   Note If you cannot perform this step because Administrative Tools does not appear in the Program list, click Start, point to Settings, point to Control Panel, double-click Administrative Tools, and then click Local Security Policy.
   
   Note In Windows XP, the RestrictAnonymous subkey can have a value of 0 or 1. A value of 1 restricts null session connections on Windows XP-based clients. For regulation of the enumeration of SAM accounts, the following new registry subkey has been added:
   HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\restrictanonymoussam
   The policy is configurable via Local Security Settings under Security Settings\Local Policies\Security Options\Network Access: Do not allow anonymous enumeration of SAM accounts.
2. In Security Settings, double-click Local Policies, and then click Security Options.
3. Double-click Additional restrictions for anonymous connections, and then under Local policy setting:, click No access without explicit anonymous permissions.
4. Restart the computer.

This policy restricts null session connections.

Using Registry Editor

Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
To restrict null session connections (or disable null session access):

1. Start Registry Editor.
2. Locate, and then click the following key in the registry:
   HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA
3. On the Edit menu, click Add Value, and then add the following registry value:
   Value Name: RestrictAnonymous
   Data Type: REG_DWORD
   Value: 2
   Default: 0
   
   A value of 2 restricts null session connections.
   
   To set the RestrictAnonymous value, change the registry key to 0 or 1 for Windows NT 4.0 or to 0, 1, or 2 for Windows 2000. These numbers correspond to the following settings:
   • 0 None. Rely on default permissions.
   • 1 Do not allow enumeration of SAM accounts and names.
   • 2 No access without explicit anonymous permissions
4. Restart the computer.

Method 2

Use the following method to avoid null session connections that have a high session idle time and that have opened a handle to the named pipe \PIPE\spoolss.

Remove Printer Share on Clients

Identify clients that have local printer shares enabled (see the "More Information" section for additional information) and remove all local printer shares on these computers:

1. Open the Printers folder to verify whether you have shared a local printer.
2. Open the Properties window of the shared printer, and then click Sharing.
3. Click to select the Not Shared option.

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

Computers that run Windows NT Workstation 4.0, Windows 2000 Professional, and Windows XP Professional are licensed for a maximum of 10 concurrent client incoming sessions. Computers that run Windows XP Home Edition are licensed for a maximum of 5 concurrent client incoming sessions. All logical drive, logical printer, and transport level connections combined from a single computer are one session.

If the server service already has the maximum number of open sessions and one more user tries to allocate a resource, the computer returns the error messages that are described in the "Symptoms" section of this article.

Typically a computer does not have multiple sessions to another computer. But there are exceptions. For example, computer A is running a service under another user context than the logged-on user, and that service creates a logical connection to computer B. The logical connection can result from file shares, printers, serial ports, and also from communication between computers using named pipes and mail slots.

Use the following commands to get information about sessions and open files and shared resources.

Information About Active Sessions on the Computer That Is Running the Server Service

To receive information about active sessions on the computer that is running the server service, type the following command: Count the number of open sessions to see if the session limit of 10, or 5 in the case of Windows XP Home Edition, is already reached. Typically there is only one session per remote client.

If there is more than one session from a remote client, view the User name context on the remote client that has set up more than one session:

• View all the services that are running, and find out if one is running under the user context of the username shown in the session table.
• Look for scheduled tasks that are running in a logon script and are using a different user account then the one logging in.
• Look for rows where the User name column is empty and examine the idle time.

A session that has an empty user context is a null session.

Temporary null sessions are usually caused by IPC$ connections as the first step in establishing a connection. They stay active for 30 seconds to 90 seconds.

Note To disconnect client computer sessions, use the following command: This command disconnects all sessions from that computer and closes all open files. This command may cause data loss if open files that have not been saved are closed.

Information About Open Files

To receive information about open files, on the computer that is running the server service, type the following command: If you have seen permanent null user sessions in the session table, determine which file or pipe the null user is using.

Information About NetBIOS Connection Table

To see a listing of incoming and outgoing connections and the amount of traffic carried on these connections, type the command:

Information About Shared Resources

To see file shares, hidden administrative shares and shared printers, type the following command: You may have to perform further troubleshooting to determine the causes for multiple client sessions.

Use Network Monitor to find out which component initiates an additional session and what security context is used for the Server Message Block (SMB) session. To filter the traffic that printer spooling causes, use the R_WINSPOOL parser in Network Monitor. If a Windows-based computer looks for computers that are acting as a Print Queue Server, it uses NetShareEnum transactions through the RemAPI protocol (also known as the Microsoft Windows Lanman Remote API Protocol). By default, when you use a NetShareEnum transaction, you require only anonymous access to make NetServerEnum2 and NetServerEnum3 requests. By default, Windows operating systems have anonymous access enabled.

For more information, click the following article number to view the article in the Microsoft Knowledge Base: