Windows - Security - Restrict Anonymous Access to Named Pipes and Shares

What the anonymous access hardening Worklet does

This Automox Worklet™ enforces two registry values on Windows endpoints to close anonymous SAM account enumeration and null session access to named pipes and shared folders. The Worklet manages RestrictAnonymous under HKLM:\SYSTEM\CurrentControlSet\Control\Lsa and RestrictNullSessAccess under HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters, setting both to 1.

The evaluation script reads each value using the Win32 registry API (Microsoft.Win32.RegistryKey) and compares it to the hardened state: RestrictAnonymous=1 and RestrictNullSessAccess=1. Any missing key, wrong type, or out-of-policy value flags the endpoint as non-compliant. The remediation script creates the parent key when it is absent using CreateSubKey, writes each DWORD with SetValue, and exits 0 after a successful write.

The Worklet is safe to run on workstations, member servers, and domain controllers. Existing NullSessionPipes and NullSessionShares entries are left in place, so legitimate inter-process communication that already lives on the allow list keeps working while the anonymous reconnaissance path is closed.

Why block anonymous SAM and share enumeration

Anonymous SAM enumeration and null session access are the opening move in a long line of Windows attack playbooks. Tools like enum4linux, rpcclient, and the SAMR queries inside BloodHound walk an unauthenticated SMB connection to list local accounts, shared folders, and pipe names. Once an attacker has that map, they target known service accounts, locate writable shares, and pivot toward credential dumping or lateral movement. CIS Benchmark controls 2.3.10.5 (Network access: Do not allow anonymous enumeration of SAM accounts) and 2.3.10.6 (Network access: Do not allow anonymous enumeration of SAM accounts and shares) require both LSA values set, and NIST 800-53 AC-3 treats anonymous access to the SAM as an unauthorized access path.

Enforcing RestrictAnonymous and RestrictNullSessAccess through a single Automox policy run lands the CIS 2.3.10.5 and 2.3.10.6 controls on every Windows endpoint in scope. A freshly imaged workstation, a rebuilt member server, and a long-running domain controller all converge on the same LSA configuration in the same evaluation cycle, with no per-host GPO push and no manual registry edit. Recurring evaluation catches any endpoint where a feature update, baseline reset, or third-party hardening tool flips the values back, so the next vulnerability scan does not surface the same anonymous-enumeration finding twice.

How LSA anonymous access hardening works

1. Evaluation phase: The Worklet opens HKLM using the Win32 registry API and reads RestrictAnonymous from HKLM:\SYSTEM\CurrentControlSet\Control\Lsa and RestrictNullSessAccess from HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters. It checks that each value exists, has type DWORD, and is set to 1. If every value matches, the endpoint reports compliant and no remediation is scheduled. Any missing key, missing value, wrong registry type, or out-of-policy DWORD marks the endpoint non-compliant with a message that names the specific value at fault.

2. Remediation phase: The Worklet creates the Lsa and LanmanServer\Parameters keys using CreateSubKey when they are missing, then writes RestrictAnonymous=1 and RestrictNullSessAccess=1 as DWORDs using SetValue. The script exits 0 on a successful write, or exits 1 and writes an error message if a write fails. The new values take effect on the next session establishment, so no reboot is required for the controls to apply.

Anonymous access hardening requirements

• Windows 10, Windows 11, or Windows Server 2012 R2 or later (workstation, member server, or domain controller)

• PowerShell 3.0 or later in the Automox agent context (the default agent meets this on every supported Windows build)

• Local administrator rights to write to HKLM:\SYSTEM\CurrentControlSet\Control\Lsa and HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters

• If Group Policy already manages "Network access: Do not allow anonymous enumeration of SAM accounts" or "Restrict anonymous access to Named Pipes and Shares," confirm the GPO sets the same hardened values so the next gpupdate does not revert the Worklet's writes

• Review existing NullSessionPipes and NullSessionShares entries before deployment; the Worklet leaves them in place but they remain reachable to anonymous callers, so prune any that legacy applications no longer require

Expected state after LSA hardening

After remediation, each Windows endpoint reports RestrictAnonymous=1 under HKLM:\SYSTEM\CurrentControlSet\Control\Lsa and RestrictNullSessAccess=1 under HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters. Anonymous SMB connections can no longer enumerate local SAM accounts, share names, or named pipes that are not on the explicit NullSessionPipes or NullSessionShares allow list. Subsequent evaluation runs find the values already hardened and skip remediation, so the policy stays quiet on a clean fleet.

Confirm the registry state on a sample endpoint with Get-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Lsa' -Name RestrictAnonymous and Get-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters' -Name RestrictNullSessAccess. For audit evidence, capture both outputs alongside the Automox policy run identifier and store them with your CIS 2.3.10.5/6 evidence pack.