4.7.13. NULL sessions restrictions for the samr interface on Active Directory domain contollers

On Active Directory domain controllers, NULL sessions restrictions for the samr interface are based on members of the Pre-Windows 2000 Compatible Access group, because this group is used in DACL of Active Directory objects.

Because of the default setting proposed by dcpromo.exe, this group typically contains:

As a consequence, anonymous accesses to the samr interface are typically possible on Active Directory domain controllers, including full enumeration of accounts stored in AD.

Modification of the Pre-Windows 2000 Compatible Access group requires a reboot.