Help and Support

How to enable null session shares on a Windows 2000-based computer

View products that this article applies to.
Article ID:289655
Last Review:October 31, 2006
Revision:6.3
This article was previously published under Q289655
On This Page

SUMMARY

This article describes how to enable null session shares on a computer that is running Windows 2000.

More Information

When a program or service is started by using the System user account, the program or service logs on with null credentials. If that program or service attempts to access a remote Windows 2000 server resource such as a file share (using a null session), the operation may fail if the file share is not configured as a null session share, or if registry, group or policy restrictions are in effect on the server that is hosting the file share.

There are several settings that govern null session access on Windows 2000. When you configure null session shares, you must first explicitly enable null session access on shares or named pipes. To do so, modify the registry of each remote resource computer.

Warning If you configure a shared resource in this manner, the resource is not secure. Microsoft does not recommend that you use this configuration if you are considering null session security.

Back to the top

Enable null session shares

Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
322756 (http://support.microsoft.com/kb/322756/) How to back up and restore the registry in Windows


To enable null session access, you must modify the registry on every cluster node:
1.Start Registry Editor (Regedt32.exe).
2.Locate the following key in the registry:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanServer\Parameters\NullSessionShares
NOTE: NullSessionShares is a REG_MULTI_SZ value.

3.On a new line in the NullSessionShares key, type the name of the share that you want to access with a null session (for example, public).
4.If the program uses named pipes and requires null session support, locate the following key in the registry:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanServer\Parameters\NullSessionPipes
NOTE: NullSessionPipes is a REG_MULTI_SZ value.

On a new line in the NullSessionPipes key, type the name of the pipe that you want to access with a null session.
5.Locate and click the following key in the registry:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA
6.On the Edit menu, click Add Value, and then add the following registry value:
Value Name: RestrictAnonymous
Data Type: REG_DWORD
Value: 0
7.Quit Registry Editor.
8.Restart the server.

Back to the top

Allow anonymous access by clients running NT 4.0 (optional)

You may need to adjust the Windows 2000 security groups and security policies to allow for anonymous access from Microsoft Windows NT 4.0 clients. To do so, use either of the following methods:
If you used the Active Directory Installation Wizard to create a Windows 2000-based domain by upgrading a server to a domain controller, enable the Allow pre-Windows 2000 servers to access Active Directory option.

-or-
If you add a Windows NT 4.0-based client to a domain that has not been adjusted to allow pre-Windows 2000 server access, use the following command to adjust security on the Windows 2000 domain controller:
net localgroup "pre-windows 2000 compatible access" everyone /add
When you use this command, security can be compromised because it allows anonymous users to read information on this domain. When there are no longer any Windows NT 4.0-based clients in the domain, you can use the following command to remove legacy access:
net localgroup "pre-windows 2000 compatible access" everyone /delete
NOTE: You can also run the net localgroup commands on a Windows 2000 standalone or member server to permit anonymous access locally on that server.
To prevent anonymous (null) session connections, set the Additional restrictions for anonymous connections security policy that is located in Windows Settings\Security Settings\Local Policies\Security Options to No Access. When you do so, anonymous (null) session connections are prevented on the computers on which this policy is applied.

Note You must enable the guest account to let anonymous users log on. By default, this account is disabled.

Back to the top

REFERENCES

For more information, click the following article number to view the article in the Microsoft Knowledge Base:
132679 (http://support.microsoft.com/kb/132679/) Local System account and null sessions in Windows NT

Back to the top

APPLIES TO
Microsoft Windows 2000 Service Pack 1
Microsoft Windows 2000 Advanced Server

Back to the top

Keywords: 
kbenv kbhowtomaster KB289655

Back to the top

Article Translations

 

Related Support Centers

Other Support Options

  • Need More Help?
    Contact a Support professional by Email, Online or Phone.
  • Customer Service
    For non-technical assistance with product purchases, subscriptions, online services, events, training courses, corporate sales, piracy issues, and more.
  • Newsgroups
    Pose a question to other users. Discussion groups and Forums about specific Microsoft products, technologies, and services.