Null Session Vulnerability

When a program or service is started by using the System user account, the service logs on with null credentials. This can be a potential security risk, because it allows for an unauthenticated log on to the system. A hacker or worm can exploit this vulnerability and potentially access sensitive data on the system.

The simplest way to reduce null session vulnerability is to disable NetBios and verify that ports 139 and 445 are closed.

However, if your run-time image requires NetBIOS, you can control null session access by editing the following registry key to restrict anonymous access to sensitive data:

Key Name: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA
Value Name: RestrictAnonymous Type: DWORD
Value: 0

The default value of this key is 0. Changing this value to 1 blocks enumeration of SAM and user accounts, and prohibits a null session from seeing user accounts and admin shares. A value of 2 disables null session access without explicit permissions. Changing this value to 2 may conflict with some applications that rely on null sessions.

After you change the registry data, reboot your run-time images and test your applications to verify that they work with restricted null session access.

See Also

Best Practices for Security | Network Security Considerations | Local Security Considerations

Last updated on Wednesday, October 18, 2006

© 2006 Microsoft Corporation. All rights reserved.