Article ID: 890161 - View products that this article applies to.
Important This article contains information about how to modify the registry. Make sure to back up the registry before you modify it. Make sure that you know how to restore the registry if a problem occurs. For more information about how to back up, restore, and modify the registry, click the following article number to view the article in the Microsoft Knowledge Base:
(http://support.microsoft.com/kb/256986/ )Description of the Microsoft Windows registry
This article describes the effects of removing null sessions from the Microsoft Windows 2000 and Microsoft Windows NT environments. Specifically, this article discusses the following topics:
Enumeration in the Windows 2000 and Windows NT environmentsIn Windows 2000 and Windows NT environments, enumeration is an information-gathering technique that can be used by malicious users. Enumeration involves establishing an active connection to a computer and then directing queries to that computer. Because enumeration involves establishing an active connection, users should log the connection through auditing. Malicious users try to gather computer-specific information through an anonymous connection that can be used in an attack.
To prevent enumeration attacks on their internal networks, most organizations use external firewalls to block the ports and the services that are used for Windows 2000 and Windows NT enumeration attacks. This prevents malicious users on external networks from conducting enumeration attacks. Therefore, the following conditions are true for most enumeration attacks:
Null sessions and enumerationBy default, Windows 2000 and Windows NT rely on Common Internet File System (CIFS) and Server Message Blocks (SMBs). SMBs include APIs that return information about a computer through ports 139 and 445. This information is provided even to an unauthenticated user. A null session is an unauthenticated connection to a Windows 2000 or a Windows NT-based computer. A null session can then be used to access the SMB APIs remotely. Null sessions are also referred to as null session connections, anonymous logon, and anonymous connections. In Windows 2000 and Windows NT environments, null sessions are used to gather information about the following:
Using the RestrictAnonymous registry value to control null sessionsWarning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall your operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.
The most common way to control null sessions in Windows 2000 and Windows NT environments is to use the RestrictAnonymous registry value. The RestrictAnonymous registry value lets you prevent enumeration of sensitive information over null sessions. The RestrictAnonymous registry value was introduced in Microsoft Windows NT 4.0 Service Pack 3 (SP3) and is now included with Windows 2000. The RestrictAnonymous registry value is added to the following registry key:
The RestrictAnonymous registry value lets you configure local computer policy to determine whether authentication is required to perform common enumeration functions. There are different RestrictAnonymous registry values for Windows NT 4.0 and Windows 2000.
In a Windows 2000 environment, you can set the RestrictAnonymous registry value to 0, 1, or 2. When you set this registry value to 0, anonymous connections can list account names and enumerate share names. When you set this registry value to 1, anonymous enumeration of SAM accounts and share names is not permitted.
Note Even with the RestrictAnonymous registry value set to 1, there are Win32 programming interfaces that do not restrict anonymous connections. Therefore, tools that use these interfaces can still enumerate information over a null session even when the RestrictAnonymous registry value is set to 1.
Finally, when this registry value is set to 2, no access is granted without explicit anonymous permissions. Therefore, no null sessions are possible, not even through Win32 programming interfaces. Generally, we do not recommend that you set the RestrictAnonymous registry value to 2 in mixed-mode environments that include down-level client computers such as Windows NT 4.0, Microsoft Windows 95, and Microsoft Windows 98.
In a Windows NT 4.0 environment, you can set the RestrictAnonymous registry value to 0, 1, or not defined. When you set this value to 0, or when this value is not defined, anonymous connections can list account names and enumerate share names. When you set this value to 1, anonymous connections from the graphical user interface (GUI) tools for security management receive an "access denied" error message when they try to obtain the list of account names.
Note Even when the RestrictAnonymous registry value set to 1, there are Win32 programming interfaces that do not restrict anonymous connections. Therefore, tools that use these interfaces can still enumerate information over a null session even when this registry value is set to 1.
The following features were introduced together with the RestrictAnonymous registry value:
Authenticated Users groupThe Authenticated Users group is similar to the Everyone group, except for one important difference: Anonymous logon users or null session connections are never members of the Authenticated Users group. An authenticated network connection from any account in the server's domain, or from any domain that is trusted by the server's domain, is identified as an authenticated user. The Authenticated Users group can grant access permissions to resources. The Authenticated Users group feature does not modify any existing access control lists (ACLs). This prevents any change in access permissions that were granted to the Everyone group to use the Authenticated Users group.
Restricting anonymous list of share namesThe server service that provides remote file access to share resources also uses the RestrictAnonymous registry value to control whether anonymous connections can obtain a list of share names. Therefore, you can set the value of a single registry configuration entry to define how the computer responds to enumeration requests by anonymous logons.
Restricting anonymous remote registry accessThe RestrictAnonymous registry value also lets you restrict anonymous remote registry access. This feature prevents anonymous users from connecting to the registry remotely. It also prevents anonymous users from reading or from writing any registry data. Remote access to the registry is controlled through the ACL on the winreg registry key. The ACL on the winreg registry key identifies the authenticated users who can remotely connect to the registry.
The effect of removing null sessions from the Windows 2000 and Windows NT environmentsBy enabling the RestrictAnonymous registry value in Windows 2000 and in Windows NT, you can remove null sessions from your Windows 2000 and Windows NT environments. However, this affects Windows 2000 and Windows NT functionality and applications.
When you set the RestrictAnonymous registry value to 2 in a Windows 2000 environment, the access token that is built for non-authenticated users does not include the Everyone group. Therefore, this access token no longer has access to those resources that grant permissions to the Everyone group. When you set this value to 2 on a Windows 2000-based domain controller, you may experience the following symptoms:
For more information about setting Restrict Anonymous to 0, click the following article numbers to view the articles in the Microsoft Knowledge Base:
823659For more information about the effect of removing null sessions on domains and on trusts, click the following article numbers to view the articles in the Microsoft Knowledge Base:
(http://support.microsoft.com/kb/823659/ )Client, service, and program incompatibilities that may occur when you modify security settings and user rights assignments
(http://support.microsoft.com/kb/178640/ )Could not find domain controller when establishing a trust
(http://support.microsoft.com/kb/296405/ )The "RestrictAnonymous" registry value may break the trust to a Windows 2000 domain
(http://support.microsoft.com/kb/135060/ )Access denied attempting to change client domain password
(http://support.microsoft.com/kb/293127/ )The Net Logon service of a Windows NT 4.0 BDC does not function in a Windows 2000 domain
(http://support.microsoft.com/kb/129457/ )RestrictAnonymous access enabled lets anonymous connections obtain the password policy
(http://support.microsoft.com/kb/198941/ )Users cannot change password when logging on
(http://support.microsoft.com/kb/196289/ )SP3 clients cannot change passwords - error C00000BE
192126For more information about the effect of removing null sessions in SMS, click the following article numbers to view the articles in the Microsoft Knowledge Base:
(http://support.microsoft.com/kb/192126/ )Add workstation fails with RestrictAnonymous
(http://support.microsoft.com/kb/311257/ )Resources are not discovered if anonymous connections are turned off
312512For more information about the effect of removing null sessions in Exchange Server, click the following article numbers to view the articles in the Microsoft Knowledge Base:
(http://support.microsoft.com/kb/312512/ )Network discovery cannot connect anonymously to client after remote client installation
(http://support.microsoft.com/kb/319879/ )MAPI clients cannot view the Global Address List and resolve names
(http://support.microsoft.com/kb/309622/ )Clients cannot browse the Global Address List after you apply the Q299687 Windows 2000 security hotfix
(http://support.microsoft.com/kb/272726/ )Administrators are able to browse user list of untrusted domains
260870For more information about restricting information available to anonymous logon users, click the following article numbers to view the articles in the Microsoft Knowledge Base:
(http://support.microsoft.com/kb/260870/ )Restrict Anonymous prevents discovery of Windows NT 4.0 domain
(http://support.microsoft.com/kb/143474/ )Restricting information available to anonymous logon users
246261Also see Hacking Exposed Windows 2000: Network Security Secrets and Solutions by Stuart McClure and Joel Scambray.
(http://support.microsoft.com/kb/246261/ )How to use the RestrictAnonymous registry value in Windows 2000
The third-party products that this article discusses are manufactured by companies that are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, regarding the performance or reliability of these products.
Article ID: 890161 - Last Review: October 30, 2006 - Revision: 3.1