Creating Null Session Shares

When network installing Microsoft RIS OSs (Windows 2000, Windows XP, Windows Server 2003) it is necessary the creation of a "Null Session Share" (NSS). This kind of share got some bad reputation in the past from a security point of view, therefore setting them up on modern OSs it's not just a straight forward single-step action; it involves a bit of effort. This article tries to help Serva users creating their NSSs on different host platforms.


Windows 2000


  1. Enabling File Sharing:

    1. Click [Start]/Settings/Network and Dial-up Connections

    2. Right click the "Local Area Connection" icon.

    3. Click Install/Service.

    4. Click [Add...]

    5. Select "File and Printer Sharing for Microsoft Networks"

    6. Re-boot.

  2. Enabling the Guest Account:

    1. [Start]/Settings/Control Panel

    2. Open "Users and Passwords" and click the "Advanced" Tab.

    3. In the "Advanced User Management" section click "Advanced"

    4. Open the "Users" folder and click the "Guest" user

    5. Un-check "Account is disabled" and click [OK]

    6. Close the "Local Users and Groups" dialog and click [OK].

  3. Creating the Share:

    1. From File Explorer right click the TFTP root directory and select "Sharing..."

    2. Select "Share this folder"

    3. Click "New Share"

    4. Add "Share Name" = WIA_RIS_SHARE and click OK

    5. Select any "Share Name" different than WIA_RIS_SHARE from the combo-box and click [Remove Share]

    6. Verify "Share Name" = WIA_RIS_SHARE and click [Permissions]

    7. Remove all users/groups then add the user "Guest" with "Read" rights only.


Windows XP


  1. Enabling Simple File Sharing (Windows XP Professional):

    1. [Start]/Control Panel, click "Switch to Classic View" and then the "Folder Options" icon.

    2. Select the "View" tab.

    3. Under the "Advanced settings" section select the "File and Folders/Use simple file sharing (Recommended)" check box.

    4. Click [OK] to close the "Folder Options" dialog box.

  2. Creating the Share:

    1. From File Explorer right click the TFTP root directory and select "Sharing and Security..."

    2. If remote access is disabled:

      1. Under the "Network sharing and security" section click "If you understand the security risks but want to share files without running the wizard, click here."

      2. In the next "Enable File Sharing" dialog box, select the "Just enable file sharing" radio button, and then click [OK].

    3. Check "Share this folder on the network" with "Share Name" = WIA_RIS_SHARE

    4. Click [OK] to close the Properties dialog box.

    5. Click [Yes] (share anyway) to the warning about share names longer than 12 characters.

  3. Open the Control Panel and then select "Administrative Tools" and then "Services". Next Right-click the "Server" service and select Restart to restart the service.

Windows Server 2003


  1. Enabling the Guest Account:

    1. Run lusrmgr.msc (Local Users and Groups)

    2. Open the "Users" folder and click the "Guest" user

    3. Un-check "Account is disabled" and click [OK]

    4. Close lusrmgr.msc (Local Users and Groups)

  2. Creating the Share:

    1. From File Explorer right click the TFTP root directory and select "Properties."

    2. Select the "Sharing" tab.

    3. Check "Share this folder", set "Share Name" = WIA_RIS_SHARE and click [Permissions]

    4. Remove all users/groups then add the user "Guest" with "Read" rights only and click [OK].

    5. Back at the Properties dialog now select the "Security" tab

    6. Click [Add..], enter the user "Guest" and click [OK]

    7. Selecting the user "Guest" at the "Group or user names:" pane edit its permissions at the "Permissions for Guest" pane. Make sure you check the "Allow" column with "Read & execute", "List folder contents" and, "Read" permissions, then click [OK].

Windows Vista


  1. Enabling Anonymous Logon:

    1. Open the Control Panel and navigate to:
      Network and Internet\Network and Sharing Center\Sharing and Discovery\

      Turn off:

      password protected sharing
    2. Save changes and close the Control Panel.

  2. Creating the Share:

    1. From File Explorer right click the TFTP root directory and select "Properties."

    2. Select the "Sharing" tab and click Advanced Sharing...]

    3. Check "Share this folder", set "Share Name" = WIA_RIS_SHARE and click [Permissions]

    4. Remove all users/groups then add the user "Guest" with "Read" rights only.

Windows Server 2008


  1. Enabling Anonymous Logon:

    1. Run the Control Panel

    2. Navigate to:
    Network and Internet\Network and Sharing Center\Change advanced sharing settings\
    Select:
    Turn off password protected sharing
    3. Save changes and close the Control Panel.

  2. Creating the Share:

    1. From File Explorer right click the TFTP root directory and select "Properties."

    2. Select the "Sharing" tab and click [Advanced Sharing...]

    3. Check "Share this folder", set "Share Name" = WIA_RIS_SHARE and click [Permissions]

    4. Remove all users/groups then add the user "Guest" with "Read" rights only and click [OK] twice.

    5. Back at the Properties dialog now select the "Security" tab and click [Edit...]

    6. Click [Add..], enter the user "Guest" and click [OK]

    7. Selecting the user "Guest" at the "Group or user names:" pane edit its permissions at the "Permissions for Guest" pane. Make sure you check the "Allow" column with "Read & execute", "List folder contents" and, "Read" permissions, then click [OK] and [Close].

Windows 7


  1. Enabling Anonymous Logon:

    1. Run the Control Panel

    2. Navigate to:
    Network and Internet\Network and Sharing Center\Change advanced sharing settings\
    Select:
    Turn off password protected sharing
    3. Save changes and close the Control Panel.

  2. Creating the Share:

    1. From File Explorer right click the TFTP root directory and select "Properties."

    2. Select the "Sharing" tab and click [Advanced Sharing...]

    3. Check "Share this folder", set "Share Name" = WIA_RIS_SHARE and click [Permissions]

    4. Remove all users/groups then add the user "Guest" with "Read" rights only and click [OK] twice.

    5. Back at the Properties dialog now select the "Security" tab and click [Edit...]

    6. Click [Add..], enter the user "Guest" and click [OK]

    7. Selecting the user "Guest" at the "Group or user names:" pane edit its permissions at the "Permissions for Guest" pane. Make sure you check the "Allow" column with "Read & execute", "List folder contents" and, "Read" permissions, then click [OK] twice.

Windows Server 2012


  1. Enabling Anonymous Logon:

    1. Run the Control Panel

    2. Navigate to:
    Network and Internet\Network and Sharing Center\Change advanced sharing settings\
    Select:
    Turn off password protected sharing
    3. Save changes and close the Control Panel.

  2. Creating the Share:

    1. From File Explorer right click the TFTP root directory and select "Properties."

    2. Select the "Sharing" tab and click [Advanced Sharing...]

    3. Check "Share this folder", set "Share Name" = WIA_RIS_SHARE and click [Permissions]

    4. Remove all users/groups then add the user "Guest" with "Read" rights only and click [OK] twice.

    5. Back at the Properties dialog now select the "Security" tab and click [Edit...]

    6. Click [Add..], enter the user "Guest" and click [OK]

    7. Selecting the user "Guest" at the "Group or user names:" pane edit its permissions at the "Permissions for Guest" pane. Make sure you check the "Allow" column with "Read & execute", "List folder contents" and, "Read" permissions, then click [OK] and [Close].

Windows 8/8.1


  1. Enabling Anonymous Logon:

    1. Click [Win-Logo]+[X] run the Control Panel

    2. Navigate to:
    Network and Internet\Network and Sharing Center\Change advanced sharing settings\
    Select:
    Turn off password protected sharing
    3. Save changes and close the Control Panel.

  2. Creating the Share:

    1. From the Metro UI click on Desktop

    2. From File Explorer right click the TFTP root directory and select "Properties."

    3. Select the "Sharing" tab and click [Advanced Sharing...]

    4. Check "Share this folder", set "Share Name" = WIA_RIS_SHARE and click [Permissions]

    5. Remove all users/groups then add the user "Guest" with "Read" rights only.

Windows 10


  1. Enabling Anonymous Logon:

    1. Search and run the Control Panel

    2. Navigate to:
    Network and Internet\Network and Sharing Center\Change advanced sharing settings\
    Select:
    Turn off password protected sharing
    3. Save changes and close the Control Panel.

  2. Creating the Share:

    1. From File Explorer right click the TFTP root directory and select "Properties."

    2. Select the "Sharing" tab and click [Advanced Sharing...]

    3. Check "Share this folder", set "Share Name" = WIA_RIS_SHARE and click [Permissions]

    4. Remove all users/groups then add the user "Guest" with "Read" rights only.


The SMB (Server Message Block) Protocol used by Microsoft shares supports dialect negotiation. A dialect is a version of the Protocol that is generally defined in terms of additions and changes relative to a previous version.
RIS clients when requiring the services of the NSS are able to negotiate a dialect called "CIFS" (also known as “NT LAN Manager” or, simply “NT LANMAN”) which is identified by the dialect string "NT LM 0.12". The previous instructions included in this document, for creating a NSS, consider all RIS clients are by default able to use the "NT LM 0.12" dialect against any host running Windows 2000 and up.

In the case you need to create a NSS for a client (other than RIS) that mandatorily requires older dialects like “LANMAN1.0”, “LANMAN1.2”, etc, then you might need extra steps in order to enable those dialects at your host; i.e.
Run the program "Regedit"

  1. Navigate to:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters\

    Edit the multi-string (REG_MULTI_SZ) value "NullSessionShares" and add the share name on a new line.

  2. Navigate to:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\

    Edit the 32-bit value (REG_DWORD) value "restrictanonymous" and set it to 0.


NOTE: Some of the described procedures involve registry editing and other administrative tasks. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs.



Confirmed errors or comments on how to improve the information contained in this document please contact me here.

 

 

 

Originally published 05/08/2012
2nd Edition 03/16/2013
3rd Edition 07/15/2013
4th Edition 11/20/2014