4.7.12. NULL session restrictions for the lsarpc interface in Windows XP and Windows Server 2003

Windows XP and Windows Server 2003 have one security option (enabled by default) that disables or enables the anonymous translation of SID to name:

Network access: Allow anonymous SID/Name translation (Disabled by default)

When the first security option is enabled, the DACL on the LSA policy object is modified, as shown with the lsaacl tool [50]:

This change is dynamic and does not require a reboot.

In Windows XP, anonymous connections to the lsarpc interface are allowed by default but because the aforementionned option is disabled by default, it it not possible to translate anonymously SID to name.

On Windows Server 2003 systems that are not Active Directory domain controllers, anonymous connections to the lsarpc interface are forbidden by default.

In practice, all calls to LsarOpenPolicy or LsarOpenPolicy2 operations fail on non-DC Windows Server 2003 systems.

Thus, the value of the aforementionned option (disabled or enabled) typically does not matter on non-DC Windows Server 2003 systems, except if the TurnOffAnonymousBlock registry value was explictly added and set to 1.