Pre Win2k3 SP1 we actually had a hardcoded list of null session pipes + the registry key to come up with the complete list of allowed NULL session pipes. PRE SP1 hard coded list:=========== L"netlogon", L"lsarpc", L"samr", L"browser", L"srvsvc", L"wkssvc", POST SP1==========None
Net result? If you messed with HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parametersNullSessionPipes value ( removed things like .. lsarpc, netlogon etc.. ) You will fail NULL session authentications where you used to succeed, even with nothing defined in the registry. CHANGES:=========We remove items like trkwks, trksvr, epmapper, and locator. We add browserWe then write the value: AdjustedNullSessionPipes == 1 under CurrentControlSet\Services\lanmanserver\parametersWe remove the hardcoded list seen above What does it effect? Scenario: DFS server goes to access a DC to get site info - it calls DsAddressToSiteNames() ( connect to netlogon ) to determine site info. DFS Service runs as Local SystemIf the Kerberos authentication fails for some reason and we fall back to NTLM and it will authenticate as NULL This call then fails since the DC will not authenticate the null connection to the named pipe \pipe\netlgon. Net Trace shows:================== DFS Server sends authn data: SMB Command: Session Setup AndX (0x73) Security Blob: Domain name: NULL User name: NULL Host name: NNSFLS001 DC responds: SMB Command: Session Setup AndX (0x73) NT Status: STATUS_SUCCESS (0x00000000) DFS Server tries to access \pipe\netlogon SMB NT Create AndX Request, Path: \NETLOGON DC Responds: SMB Command: NT Create AndX (0xa2) NT Status: STATUS_ACCESS_DENIED (0xc0000022)
The above article is great and I would like to add soem more to what is given above.
Question was what is the impact of setting the value to null for the setting Names Pipes that can be accessed anonymously.
The Effect would be as simple as that this would disable null session access over named pipes, and applications that rely on this feature or on unauthenticated access to named pipes will no longer function. For example, with Microsoft Commercial Internet System 1.0, the Internet Mail Service runs under the Inetinfo process. Inetinfo starts in the context of the System account. When Internet Mail Service needs to query the Microsoft SQL Server database, it uses the System account, which uses null credentials to access a SQL pipe on the computer that runs SQL Server.
Extract from the TechNet:
Network access: Named Pipes that can be accessed anonymously
This policy setting determines which communication sessions, or pipes, will have attributes and permissions that allow anonymous access.
The possible values for the Network access: Named Pipes that can be accessed anonymously setting are:
. A user-defined list of shares
. Not Defined
For this policy setting to take effect, you must also enable the Network access: Restrict anonymous access to named pipes and shares setting.
You can restrict access over named pipes such as COMNAP and LOCATOR to help prevent unauthorized access to the network. The default list of named pipes and their purpose is provided in the following table.
Table 5.1: Default Named Pipes That Are Accessible Anonymously
Named pipe Purpose:
SNABase named pipe. Systems Network Architecture (SNA) is a collection of network protocols that were originally developed for IBM mainframe computers.
SNA Server named pipe.
Default named pipe for SQL Server.
Named pipe for the Print Spooler service.
End Point Mapper named pipe.
Remote Procedure Call Locator service named pipe.
Distributed Link Tracking Client named pipe.
Distributed Link Tracking Server named pipe.
Configure the Network access: Named Pipes that can be accessed anonymously setting to a null value (enable the setting but do not enter named pipes in the text box).
This configuration will disable null session access over named pipes, and applications that rely on this feature or on unauthenticated access to named pipes will no longer function. For example, with Microsoft Commercial Internet System 1.0, the Internet Mail Service runs under the Inetinfo process. Inetinfo starts in the context of the System account. When Internet Mail Service needs to query the Microsoft SQL Server database, it uses the System account, which uses null credentials to access a SQL pipe on the computer that runs SQL Server.
To avoid this problem, refer to the Microsoft Knowledge Base article "How to access network files from IIS applications," which is located at http://support.microsoft.com/default.aspx?scid=207671
For More info:
Some of the know issues we face when we set NullSessionPipes key to null.
# TS won't be able to obtain a license. Error received is: 'error in the licensing protocol'
# We are unable to start TSLS Service.
# We will face Licensing replication issue.
# we get an error like "You do not have permission to change the password" for our domain login.
# We also can't change the local workstation password.
# We receive errors while installing SQL.
# Any application that depends on anonymous access will break. This will happen with any legacy application that we are using.
# Anytime the server falls back to NTLM for authentication it won't be able to communicate.
# The SMB signing breaks.
the default is supposed to be set at none so why would anyone want someone anonymously accessing their network anyhow?
To answer your question -see the notes in http://support.microsoft.com/kb/q289655/
Can you use wildcards in specifying NULL pipes? The reason is that I have an application that creates dynamic WMI pipes and I have a security requirement to restrict anonymous named pipes so it must be defined in the local security policy. Thanks in advance for any feedback.
please provide me the registry key to set the following
Network access: Named Pipes that can be accessed : anonymously:none