4.7.7. Named pipes permissions

Named pipes are implemented by a filesystem driver in Windows NT, npfs.sys, which supports security descriptors on each named pipe. These security descriptors are used to control access to named pipes. It is possible to use the pipeacl tool ([42], [43]) to examine and modify security descriptors on named pipes.

In Windows 2000, named pipes DACL (Discretionnary Access Control Lists) grant permissions to EVERYONE and ADMINISTRATORS for most named pipes used as MSRPC endpoints. Because ANONYMOUS LOGON is included in EVERYONE in Windows 2000, named pipes permissions allow anonymous accesses.

E:\>pipeacl \??\pipe\lsarpc
Revision: 1
Reserved: 0
Control : 8004
Owner: BUILTIN\Administrators (S-1-5-32-544)
Group: SYSTEM (S-1-5-18)
Sacl: Not present
Dacl: 2 aces
(A) (00) 0012019b :     Everyone (S-1-1-0)
(A) (00) 001f01ff :     BUILTIN\Administrators (S-1-5-32-544)

In Windows XP and Windows Server 2003, DACL grant permissions to EVERYONE, ANONYMOUS LOGON and ADMINISTRATORS. EVERYONE and ANONYMOUS LOGON are given exactly the same permissions: permissions are thus exactly equivalent to Windows 2000 permissions (starting with Windows XP, EVERYONE does not include ANONYMOUS LOGON so ANONYMOUS LOGON must explicitely appear in ACL).

C:\>pipeacl \??\pipe\lsarpc
Revision: 1
Reserved: 0
Control : 8004
Owner: BUILTIN\Administrators (S-1-5-32-544)
Group: SYSTEM (S-1-5-18)
Sacl: Not present
Dacl: 3 aces
(A) (00) 001f01ff :     BUILTIN\Administrators (S-1-5-32-544)
(A) (00) 0012019b :     Anonymous (S-1-5-7)
(A) (00) 0012019b :     Everyone (S-1-1-0)

It is possible to modify ACL on named pipes using pipeacl and typically either add a deny ACE for ANONYMOUS LOGON in Windows 2000 or remove the ACE for ANONYMOUS LOGON in Windows XP and Windows Server 2003.

When permissions are manually removed for ANONYMOUS LOGON for named pipes that are either hardcoded in the SMB server driver or found in the NullSessionPipes registry value such as lsarpc, it is no longer possible to open this pipe in the context of a NULL session.

To conclude, permissions on named permissions are typically not used for NULL sessions restrictions because, by default, DACL allow accesses for ANONYMOUS LOGON. It is not really practical to modify default DACL, given that modifications of DACL on named pipes are not persistent (because named pipes are created by RPC services at startup).