More InformationWhen a program or service is started by using the System user account, the program or service logs on with null credentials. If that program or service attempts to access a remote Windows 2000 server resource such as a file share (using a null session), the operation may fail if the file share is not configured as a null session share, or if registry, group or policy restrictions are in effect on the server that is hosting the file share.
There are several settings that govern null session access on Windows 2000. When you configure null session shares, you must first explicitly enable null session access on shares or named pipes. To do so, modify the registry of each remote resource computer.
Warning If you configure a shared resource in this manner, the resource is not secure. Microsoft does not recommend that you use this configuration if you are considering null session security.
Enable null session sharesImportant This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
To enable null session access, you must modify the registry on every cluster node:
- Start Registry Editor (Regedt32.exe).
- Locate the following key in the registry:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanServer\Parameters\NullSessionSharesNOTE: NullSessionShares is a REG_MULTI_SZ value.
- On a new line in the NullSessionShares key, type the name of the share that you want to access with a null session (for example, public).
- If the program uses named pipes and requires null session support, locate the following key in the registry: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanServer\Parameters\NullSessionPipesNOTE: NullSessionPipes is a REG_MULTI_SZ value.
On a new line in the NullSessionPipes key, type the name of the pipe that you want to access with a null session.
- Locate and click the following key in the registry:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA
- On the Edit menu, click Add Value, and then add the following registry value: Value Name: RestrictAnonymous
Data Type: REG_DWORD
- Quit Registry Editor.
- Restart the server.
Allow anonymous access by clients running NT 4.0 (optional)You may need to adjust the Windows 2000 security groups and security policies to allow for anonymous access from Microsoft Windows NT 4.0 clients. To do so, use either of the following methods:
- If you used the Active Directory Installation Wizard to create a Windows 2000-based domain by upgrading a server to a domain controller, enable the Allow pre-Windows 2000 servers to access Active Directory option.
- If you add a Windows NT 4.0-based client to a domain that has not been adjusted to allow pre-Windows 2000 server access, use the following command to adjust security on the Windows 2000 domain controller:net localgroup "pre-windows 2000 compatible access" everyone /addWhen you use this command, security can be compromised because it allows anonymous users to read information on this domain. When there are no longer any Windows NT 4.0-based clients in the domain, you can use the following command to remove legacy access:net localgroup "pre-windows 2000 compatible access" everyone /deleteNOTE: You can also run the net localgroup commands on a Windows 2000 standalone or member server to permit anonymous access locally on that server.
Note You must enable the guest account to let anonymous users log on. By default, this account is disabled.
Article ID: 289655 - Last Review: Jun 19, 2014 - Revision: 1