4.7.2. Enabling NULL sessions restrictions

In Windows NT, NULL sessions were used by processes running under the LOCALSYSTEM logon session when they needed to establish a network logon session on a remote server.

Because processes running as LOCALSYSTEM did not have network credentials in Windows NT, the only way to establish a network logon session on a remote server was to use an empty login and password during SMB authentication.

It turned out that NULL sessions could be used to gather some sensible information anonymously.

Microsoft added NULL sessions restrictions in Windows NT 3.5. These restrictions are enabled by the following registry value, which is enabled by default starting with NT 3.5:

Key: HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\
Value: RestrictNullSessAccess (REG_DWORD)
Content: 1 to enable NULL sessions restrictions (default value)

In recent Windows systems, this registry value (enabled by default) is also a security option:

Network access: Restrict anonymous access to Named Pipes and Shares

The different NULL sessions restrictions are detailed in the next sections.