4.7.9. NULL sessions restrictions settings in Windows 2000

Actually, NULL sessions have security implications because the security context of a NULL session contains the EVERYONE SID. Thus, the EVERYONE group includes anonymous users and, if a DACL allows some accesses for the EVERYONE group, such accesses can be executed in the context of a NULL session. Microsoft introduced the AUTHENTICATED USERS group in Windows NT 4.0 SP3, that contains only authenticated users. This group can be used to grant permissions instead of EVERYONE.

Also, starting with Windows NT 4.0 SP3, the LSA (Local Security Authority) can be configured to restrict the capabilities of a NULL session, with the following registry value:

Key: HKLM\SYSTEM\CurrentControlSet\Control\LSA\
Value: RestrictAnonymous
Content: 0 (no restriction), 1 (some restrictions), 2 (only valid in Windows 2000)

This registry value is also a group policy security option, starting with Windows 2000:

Additional restrictions for anonymous connections: None. Rely on default permissions (RestrictAnonymous == 0)
Additional restrictions for anonymous connections: Do not allow enumeration of SAM accounts and shares (RestrictAnonymous == 1)
Additional restrictions for anonymous connections: No access without explicit anonymous permissions (RestrictAnonymous == 2)

Setting RestrictAnonymous to 2 completely disables NULL sessions, by removing the EVERYONE SID from the token of a NULL session.

When RestrictAnonymous is set to 1 in Windows NT or Windows 2000, it is still possible to gather some interesting information anonymously [48], using the appropriate functions calls and tools [49].