4.7.11. NULL session restrictions for the samr interface in Windows XP and Windows Server 2003

Windows XP and Windows Server 2003 (systems that are not Active Directory domain controllers) have one security option that can be used to either block (by default) or allow all anonymous bind to the samr interface:

Network access: Do not allow anonymous enumeration of SAM accounts (Enabled by default)

This security option sets or unsets the RestrictAnonymousSam registry value to 1. Because this option is set by default on Windows XP and Windows Server 2003, it is not possible to connect anonymously to the SAM server on Windows XP and Windows Server 2003 (except for Windows Server 2003 domain controllers).

In practice, all calls to SamrConnect* operations fail with permission denied.