RE: Accessing shared folder from Service in 2003

Tech Tip: Click here to run a free scan for Windows Errors and optimize PC performance

Hi,

After I performed deep research on your issue, I found that the issue is by
design.

Microsoft Windows Server 2003 handles anonymous connections differently
from earlier versions of Windows. In earlier versions, disabling anonymous
connections prevents anonymous connections. In Windows Server 2003, the
anonymous connection is permitted, but Windows can individually block the
specific attempted function. By default, anonymous SID/Name translations
are disabled, but you can perform anonymous enumeration of SAM accounts and
shares. The latter can be disabled in the local security policies under
"Network Access". All other anonymous session access is implicitly denied
by the default security setting for those components. This change may cause
third-party security verifications to incorrectly report that Windows
Server 2003 is not secure because the anonymous connection is permitted.
However, even with this access, you can receive no additional information
unless you specifically allow it.

RestrictAnonymous doesn't exist on 2003. Exerpts from Threats and
Countermeasures: Security Settings in Windows Server 2003 and Windows XP:
http://go.microsoft.com/fwlink/?LinkId=15159

I also found an alternative to enable a null session share on a Windows
2003 member server

1. Network access: Let Everyone permissions apply to anonymous
users=Enabled
(Disabled is Default)
This does not have to be enabled. If it is not then you need to give
Anonymous
logon full control in step 3.

2. Network access:Shares that can be accessed anonymously: Add
<Sharename>and IPC$
(Defaults are COMCFG, DFS$)

3. Create C:\NULLTEST share as NULLTEST Add Everyone Full to share and ntfs
permissions(Anonymous logon if you are not enabling Step 1)

4. Network access: Restrict anonymous access to Named Pipes and Share
Disabled(Default is Enabled)

5. From a W2K machine run NET USE \\SERVER /u:"" "" (The share name is not
included)

6. From the same w2k machine run net use n: \\server\nulltest This create
the drive
letter we can access

7. Change to the N: drive

8. Type the following at the command prompt to create a file in the null
share
Copy Con Null.txt
This is a text file created via null sessions
Ctrl Z

9. On the W2K3 share NULLTEST view the security on the Null.txt file the
owner
should be ANONYMOUS LOGON

For more information, please refer to Windows Server 2003 Security Guide
http://microsoft.com/downloads/details.aspx?FamilyId=8A2643C1-0685-4D89-B655
-521EA6C7B4DB&displaylang=en

Hope it helps.

Best regards,

Vincent Xu
Microsoft Online Partner Support

Get Secure! - www.microsoft.com/security


--------------------
>>Thread-Topic: Accessing shared folder from Service in 2003
>>thread-index: AcWiJcjz8+3MlougQtiAFaWMYDbTsQ==
>>X-WBNR-Posting-Host: 203.126.247.25
>>From: "=?Utf-8?B?U2xlZXBpbmdSYWJiaXQ=?="
<SleepingRabbit@xxxxxxxxxxxxxxxxxxxxxxxxx>
>>References: <01831658-5842-4716-ABE1-80065D29FE27@xxxxxxxxxxxxx>
<tdyahgXoFHA.3120@xxxxxxxxxxxxxxxxxxxxx>
>>Subject: RE: Accessing shared folder from Service in 2003
>>Date: Mon, 15 Aug 2005 22:46:01 -0700
>>Lines: 86
>>Message-ID: <7C6A96F1-184C-4E14-A203-2DA0702BBAC5@xxxxxxxxxxxxx>
>>MIME-Version: 1.0
>>Content-Type: text/plain;
>> charset="Utf-8"
>>Content-Transfer-Encoding: 7bit
>>X-Newsreader: Microsoft CDO for Windows 2000
>>Content-Class: urn:content-classes:message
>>Importance: normal
>>Priority: normal
>>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
>>Newsgroups: microsoft.public.windows.server.migration
>>NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.2.250
>>Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGXA03.phx.gbl
>>Xref: TK2MSFTNGXA01.phx.gbl
microsoft.public.windows.server.migration:11670
>>X-Tomcat-NG: microsoft.public.windows.server.migration
>>
>>Thanks Vincent .
>>I have changed the local policy setting you mentioned but the service is
>>still not able to access the shared folder.
>>Any other possible setting I need to change ?
>>
>>I read that the RestrictNullSessAccess key does not exist by default. But
in
>>my system it exist and was set to 1. maybe the OS on my system is a
>>'tightened' one. It is Windows Server 2003, Standard Edition.
>>Any other changes in settings can losen it up?
>>
>>Thanks
>>
>>--
>>Thanks and Regards.
>>
>>
>>"Vincent Xu [MSFT]" wrote:
>>
>>> Hi ,
>>>
>>> In Windows 2003, besides "RestrictNullSessAccess" please also check the
>>> group policy "Network access: Let Everyone permissions apply to
anonymous
>>> users"
>>>
>>> Please refer to following link:
>>> <http://xforce.iss.net/xforce/xfdb/169>
>>>
>>> Hope it helps.
>>>
>>> Best regards,
>>>
>>> Vincent Xu
>>> Microsoft Online Partner Support
>>>
>>> Get Secure! - www.microsoft.com/security
>>>
>>>
>>> --------------------
>>> >>Thread-Topic: Accessing shared folder from Service in 2003
>>> >>thread-index: AcWhcAniYCngPuAmRiSQ3HO2rKVKXA==
>>> >>X-WBNR-Posting-Host: 203.126.247.28
>>> >>From: "=?Utf-8?B?U2xlZXBpbmdSYWJiaXQ=?="
>>> <SleepingRabbit@xxxxxxxxxxxxxxxxxxxxxxxxx>
>>> >>Subject: Accessing shared folder from Service in 2003
>>> >>Date: Mon, 15 Aug 2005 01:05:02 -0700
>>> >>Lines: 18
>>> >>Message-ID: <01831658-5842-4716-ABE1-80065D29FE27@xxxxxxxxxxxxx>
>>> >>MIME-Version: 1.0
>>> >>Content-Type: text/plain;
>>> >> charset="Utf-8"
>>> >>Content-Transfer-Encoding: 7bit
>>> >>X-Newsreader: Microsoft CDO for Windows 2000
>>> >>Content-Class: urn:content-classes:message
>>> >>Importance: normal
>>> >>Priority: normal
>>> >>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
>>> >>Newsgroups: microsoft.public.windows.server.migration
>>> >>NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.2.250
>>> >>Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGXA03.phx.gbl
>>> >>Xref: TK2MSFTNGXA01.phx.gbl
>>> microsoft.public.windows.server.migration:11650
>>> >>X-Tomcat-NG: microsoft.public.windows.server.migration
>>> >>
>>> >>Our system consists of 2 machines, our service runs on both machines
>>> which
>>> >>needs to access a shared folder on the other machine.
>>> >>
>>> >>With W2k, we set the
>>> >>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlset\Services\LanmanServer\
>>> >> \Parameters\RestrictNullSessAccess to 0 and our service work fine.
>>> >>
>>> >>But in our new system which installed with 2003 standard edition, our
>>> >>service is not able to access the shared folder on the other machine
even
>>> >>with that registry key set to 0.
>>> >>Our service starts up as system account with interactive turn on.
>>> >>
>>> >>Is there any other parameters in 2003 we need to set before a null
>>> session
>>> >>could access the shared folder ?
>>> >>
>>> >>
>>> >>--
>>> >>Thanks and Regards.
>>> >>
>>>
>>>
>>

.

Relevant Pages

  • IIS licensure
    ... We have a legal copy of Windows Server 2003 installed on a server. ... want to host 5 websites for 5 customers. ... All anonymous connections. ...
    (microsoft.public.inetserver.iis)
  • RE: What server hardening are you doing these days?
    ... Visual Developer - Security: ... > Windows Server 2003 Security Guide: ... > Scenarios and Procedures for Microsoft Systems Management Server 2003: ... >> Because of these changes to the core operating system of Windows XP ...
    (Focus-Microsoft)
  • Re: RWW Security was compromised.
    ... Windows server security as my previous experience is Unix. ... > One of our clients RWW was compromised over the weekend. ...
    (microsoft.public.windows.server.sbs)
  • Re: RWW Restrictions
    ... Windows server security as my previous experience is Unix. ... Am I crazy to be so concerned about the administrator account being ...
    (microsoft.public.windows.server.sbs)
  • [NT] Vulnerabilities in Pragmatic General Multicast (PGM) Allows Denial of Service (MS08-036)
    ... Get your security news from a reliable source. ... the Pragmatic General Multicast (PGM) protocol that could allow a denial ... Note that the denial of service vulnerability would not ... Windows XP and Windows Server 2003 and rated Moderate for all supported ...
    (Securiteam)