Using the System Account as a Service in Windows NT 3.5
ID: Q122702
|
The information in this article applies to:
-
Microsoft Windows NT Workstation versions 3.5, 3.51, 4.0
-
Microsoft Windows NT Server versions 3.5, 3.51, 4.0
SUMMARY
Windows NT allows a service to use either a system account or a user-
specific account to access resources on a local or remote computer. After
you upgrade a computer from Windows NT version 3.1 to Windows NT version
3.5, 3.51 or 4.0, the service may fail or an "Access Denied" error message
may appear if the service is using the system account.
MORE INFORMATION
If a service is using the system account to access resources, the service
logs on with a set of "null credentials." In Windows NT version 3.1, system
accounts had general access to shares. However, in Windows NT version 3.5,
3.51 and 4.0, there is a Server service registry parameter that enables
tighter security by allowing you to specify by name which shares (and
pipes) the system account can access.
The Registry parameter is "RestrictNullSessAccess" (without the quotation
marks) and it defaults to TRUE. Two other parameters, "NullSessionPipes"
and "NullSessionShares" (without quotation marks) allow you to specify
lists of share names and pipe names that can be accessed by the system
account. In other words, by default, the only shares your client's service
can access are those listed in the "NullSessionShares" parameter value. To
change this behavior, the administrator can either set
"RestrictNullSessAccess" to FALSE, or add the names of shares the service
needs access to in the "NullSessionShares" parameter value on servers where
those shares exist.
To disable the "RestrictNullSessAccess" entry, modify the Registry by
doing the following:
WARNING: Using Registry Editor incorrectly can cause serious, system-wide
problems that may require you to reinstall Windows NT to correct them.
Microsoft cannot guarantee that any problems resulting from the use of
Registry Editor can be solved. Use this tool at your own risk.
- Start the Registry Editor (REGEDT32.EXE)
- From the \HKEY_LOCAL_MACHINE subkey, go to the key:
\SYSTEM
\CurrentControlSet
\Services
\LanmanServer
\Parameters
- From the Edit menu, select Add Value.
- For the Value Name, enter RestrictNullSessAccess. For Data Type,
select REG_DWORD and choose OK. In DWORD Editor, enter 0 for Data.
Choose OK.
- Exit Registry Editor and restart Windows NT.
Keywords :
Version :
Platform :
Issue type :
|