4.7.14. NULL sessions restrictions for the lsarpc interface on Active Directory domain contollers

On both Windows 2000 and Windows Server 2003 Active Directory domain controllers, it is possible to connect anonymously to the lsarpc interface.

In Windows Server 2003, this is because the TurnOffAnonymousBlock registry value is added and set to 1 when a Windows Server 2003 server is promoted to an Active Directory domain controller.

Note: the modification of the TurnOffAnonymousBlock registry value in Windows Server 2003 does not require a reboot.

On Windows 2000 servers (including Active Directory domain controllers), anonymous translation of SID to name is allowed, even if the RestrictAnonymous registry value is set to 1.

On Windows Server 2003 servers (including Active Directory domain controllers), the following security option

Network access: Allow anonymous SID/Name translation

forbids or allows anonymous translation of SID to name.