Windows - Security - Restrict Anonymous Access to Named Pipes and Shares

What the anonymous access restriction Worklet does

This Automox Worklet™ configures two critical registry settings on Windows endpoints to restrict null session access. The Worklet targets RestrictNullSessAccess in the LanmanServer registry hive and RestrictAnonymous in the LSA registry hive, verifying both are set to the value of 1 (enabled).

Null sessions represent a significant security weakness because they allow unauthenticated users to connect to server pipes and access shared folders. This Worklet eliminates that weakness by enforcing Microsoft's security best practices across your Windows infrastructure.

The Worklet runs on both workstations and servers, making it suitable for comprehensive network-wide security improvements. It respects exceptions defined in NullSessionPipes and NullSessionShares registry entries, preserving legitimate inter-process communication while blocking malicious null session exploitation.

Why restrict anonymous access to pipes and shares

Null sessions pose a critical security risk in Windows environments. Attackers can exploit these sessions to enumerate network resources, discover shared folders, and gather information about your infrastructure without providing any credentials. This reconnaissance phase often precedes more targeted attacks.

By restricting anonymous access, you eliminate this attack vector entirely. This Worklet directly addresses compliance requirements from frameworks like CIS Benchmarks and NIST 800-53, which mandate that organizations disable null session access on Windows systems. The registry settings enforced here are foundational to meeting security standards.

Organizations managing endpoints across multiple domains benefit from automated enforcement of these settings. Manual configuration is error-prone and difficult to audit at scale. This Worklet maintains consistency and provides documentation of your security posture.

How anonymous access restriction works

1. Evaluation phase: The Worklet checks the registry values RestrictNullSessAccess and RestrictAnonymous, verifying each is set to 1 at their respective paths (HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanServer\Parameters and HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa). If both values are correctly configured, the endpoint is compliant and no further action is taken.

2. Remediation phase: If either registry value is missing, incorrect, or wrong type, the Worklet creates or updates the registry entries with the correct DWORD values. The remediation modifies the endpoint registry directly and confirms successful configuration. The endpoint then becomes compliant and no longer requires remediation.

Anonymous access restriction requirements

• Windows Server 2012 R2 or later, Windows 10, or Windows 11

• PowerShell version 3 or higher

• Local administrative permissions to modify HKEY_LOCAL_MACHINE registry hive

• Endpoints must support both 64-bit and 32-bit registry views

Expected anonymous access security state

After the Worklet completes remediation, your endpoints will have null session access completely restricted. The registry entries RestrictNullSessAccess and RestrictAnonymous will both be configured to 1, which blocks unauthenticated users from accessing named pipes and shared folders through null sessions. You can verify this change through the Automox Activity Log or by checking the endpoint configuration directly.

Verify success by checking the registry values directly: open Registry Editor, navigate to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanServer\Parameters and confirm RestrictNullSessAccess equals 1, then check HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa and confirm RestrictAnonymous equals 1. Your endpoints are now protected against null session exploitation and compliant with security best practices.