4.7.13. NULL sessions restrictions for the samr interface on Active Directory domain contollers

4.7.13. NULL sessions restrictions for the samr interface on Active Directory domain contollers
Prev	4.7. NULL sessions	Next

On Active Directory domain controllers, NULL sessions restrictions for the samr interface are based on members of the Pre-Windows 2000 Compatible Access group, because this group is used in DACL of Active Directory objects.

Because of the default setting proposed by dcpromo.exe, this group typically contains:

EVERYONE on Windows 2000 Active Directory domain controllers (EVERYONE includes anonymous users in Windows 2000)
ANONYMOUS LOGON on Windows Server 2003 Active Directory domain controllers

As a consequence, anonymous accesses to the samr interface are typically possible on Active Directory domain controllers, including full enumeration of accounts stored in AD.

Modification of the Pre-Windows 2000 Compatible Access group requires a reboot.

Prev	Up	Next
4.7.12. NULL session restrictions for the lsarpc interface in Windows XP and Windows Server 2003	Home	4.7.14. NULL sessions restrictions for the lsarpc interface on Active Directory domain contollers