JSI Tip 3763. How do I enable null session access on a Windows 2000 computer?

When a process is started in the System account context, it logs on with null credentials. If the process attempts to access a file share on a remote computer, it will fail if the file share is not configured as a null session share. The process will also fail if registry, group or policy restrictions are in effect on the server that is hosting the file share.

To enable null session access on a share or named pipe, you must modify the registry on each remote resource computer.

NOTE: Enabling null session access on a resource is not secure.

To enable null session access:

1. Use Regedt32 to navigate to HKEY_LOCAL_MACHINESystemCurrentControlSetServicesLanmanServerParametersNullSessionShares, where NullSessionShares is a REG_MULTI_SZ data type.

2. On a new line, type the share name you wish to enable. Example: MyShare.

3. If the process uses named pipes, navigate to HKEY_LOCAL_MACHINESystemCurrentControlSetServicesLanmanServerParametersNullSessionPipes, where NullSessionPipes is a REG_MULTI_SZ data type.

4. On a new line, type the name of the pipe.

5. Navigate to HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlLSA.

6. Add Value name RestrictAnonymous, a REG_DWORD data type, and set the data value to 0.

7. Open a CMD prompt and type:

    net stop server
    net start server

    NOTE: Respond yes to the prompts and also start the dependent services.

To allow anonymous access for Windoiws NT 4.0 clients, on a domain controller (and on standalone and member servers):

    net localgroup "pre-windows 2000 compatible access" everyone /add

NOTE: When there are no longer any Windows NT 4.0 clients, type:

net localgroup "pre-windows 2000 compatible access" everyone /delete

NOTE: If you set the Additional restrictions for anonymous connections policy at Windows SettingsSecurity SettingsLocal PoliciesSecurity Options to No Access null sessions are prevented.