NULL session restrictions in Windows 2000 (1/2)

• 6 hardcoded named pipes

• RestrictAnonymous set to 0 by default

  • 0: no restriction
  • 1: prevent direct enumeration of accounts and groups using samr
  • 2: prevent NULL sessions (anonymous connections to IPC$ denied)

• Anonymous access to samr

  • Detailed user accounts enumeration
  • Group memberships (including BUILTIN\Administrators)
  • Prevented by setting RestrictAnonymous to 1

• Anonymous access to lsarpc

  • Can be used to translate SID to names to indirectly discover user accounts when RestrictAnonymous is set to 1