4.7.15. NULL sessions restrictions of server and workstation RPC operations

For some of the lanmanserver and lanmanworkstation RPC services operations (srvsvc and wkssvc named pipes), restrictions are hardcoded and documented in MSDN, under the Security requirements section. Sometimes, depending on the requested information level, it is necessary (or not) to be a member of the Administrators or Account Operators local group.

The following srvsvc operations can be used anonymously:
In addition, on Windows 2000 workstation and member servers, the following srvsvc operations can be used anonymously if RestrictAnonymous is set to 0:
The following wkssvc operations can be used anonymously:

It is possible to modify the security requirements for some of the srvsvc operations, modifying some of the security descriptors found under the DefaultSecurity registry key, under the lanmanserver registry key.

On a default Windows 2000 system, the following registry values are available:
On Windows XP and Windows Server 2003, additional security descriptors exist:
The Tweak UI tool (part of Microsoft PowerToys for Windows XP) has an Access Control feature that allows the configuration of these security descriptors for Windows XP and Windows Server 2003:

Using Tweak UI, it is possible to harden Windows XP and Windows Server 2003 against NULL sessions to the srvsvc interface, removing ACE that contain ANONYMOUS LOGON.

The security descriptors are only read when the lanmanserver service starts. Thus, any modification requires a restart of the service.