Answer:
A NULL session connection, also known as Anonymous Logon, is a way of letting a not logged on user to retrieve information such as user names and shares over the network. It is used by applications such as explorer.exe to enumerate shares on remote servers. The sad part is that it lets non-authorized users to do more than that. Particularly interesting is remote registry access, where the NULL session user has the same permissions as built-in group Everyone.
With SP3 for NT4.0 or a fix for NT3.51, a system administrator can restrict the NULL session access, see $$$: Q143474. With this fix, a new well-known SID is defined, named "Authenticated Users", which is Everyone except NULL session connected users. Replacing Everyone in all ACLs on the machine with this Authenticated User would be a good thing. To do this in a controlled fashion, one can use cacls.exe for the file system, but have to rely on some third party product for the registry ACLs. Using explorer.exe/winfile.exe or regedt32.exe will most certainly break the system. The cause for this is that these tools replace the ACL instead of editing it.
With SP3 for NT4.0 or a fix for NT3.51, a system administrator can restrict the NULL session access, see $$$: Q143474. With this fix, a new well-known SID is defined, named "Authenticated Users", which is Everyone except NULL session connected users. Replacing Everyone in all ACLs on the machine with this Authenticated User would be a good thing. To do this in a controlled fashion, one can use cacls.exe for the file system, but have to rely on some third party product for the registry ACLs. Using explorer.exe/winfile.exe or regedt32.exe will most certainly break the system. The cause for this is that these tools replace the ACL instead of editing it.
| Previous Question | Next Question |
| What servers have TCP ports opened on my NT system? Or: Is netstat broken? | FTP server security |