Empty connections* always* can be implemented on NT4, Windows 2000, and Windows XP machines. If the corresponding service of the other host is open and the port 139 or 445 is not closed, you can use anonymous connection, and the other host will reply "Command completed successfully". These have not changed in NT4 to Win2K to XP.
What was changed? What can you do after successfully establishing an empty connection? In the default case of NT4 and Win2k, you can enumerate account lists and share file information. When RestrictAnonymous=1 is set in the registry, it can help you prevent others from enumerating your relevant information (although not completely prevented). RestrictAnonymous=2 will be completely prevented, only valid in Win2K.
in WinXP, registry keys are re-defined: when
default, RestrictAnonymousSam = 1. This will prevent enumeration account information. The definition of this key value is: "Do not allow anonymous enumeration of SAM accounts." The default value is activated (this means that XP can not enumerate account information through an empty connection by default).
By default, RestrictAnonymous=0. This will prevent enumeration of account information and shared information in the SAM. The definition of this key value is: "Do not allow anonymous enumeration of SAM accounts and shares" The activation switch should have a key value of 1.
RestrictAnonymous=2 is no longer valid on XP.
Therefore, in the case of XP system default settings, you can enumerate anonymous connections and share information, but can not enumerate account information.
All in all, want to completely ban anonymous user connections, 139 and 445 ports should be closed, or the agreement is not selected in the properties of the network (or the Internet via IPSec port filtering firewall) "network to share files and Microsoft print".
Original:
Null sessions can *always* be established to NT4, Windows 2000, and Windows
XP machines. If the Machine's server service is enabled, and ports 139 or
445 are available, then you can do a net use with anonymous credentials,
and the system will respond with "Command completed successfully". This
has not changed from NT4 to Win2K to XP.
What has changed, however, is what you are able to do once you establish
the null session. In NT4 and Win2K, by default, you could enumerate
information about users and shares. Setting RestrictAnonymous=1 would help
prevent against this enumaration (though not fully). RestrictAnonymous=2
(Win2K only) would fully prevent this enumeration.
On Windows XP, there are new registry keys:
RestrictAnonymousSam=1 is a default setting. This prevents detailed
enumeration of user accounts. This setting correlates with the
SecurityPolicy setting "Do not allow anonymous enumeration of SAM
acco Unts" with a default setting 'Enabled" (meaning the default of XP will
prohibit anonymous enumeration (RASAM=1).
RestrictAnonymous=0 is a default setting. This correlates with the
SecurityPolicy Setting "Do not allow anonymous enumeration of SAM accounts
and shares". Set this policy to 'Enabled' (RA=1) to prevent anonymous
enumeration of shares.
RestrictAnonymous=2 ( On XP) is no longer a valid setting.
So, by default, on an XP system, you can anonymously connect and enumerate
shares by default, but you cannot enumerate detailed user information.
To disable anonymous connections altogether, block Access to tcp139/445
(IPSec port filters or Internet Connection Firewall), or uncheck "File and
Print Sharing for Microsoft Networks" from the network interface in
Question (via the propertIEs tab of the network connection).