An attacker will use the information gained from NULL sessions and try to logon to the system, using various tools that will try different username and password combinations. Common attacks against University computers have shown that attackers will typically gain access to the system, install FTP servers, IRC bots, and DDOS tools, then copy the illegal (copyrighted and pirated) software up for distribution. The FTP server Serv-U FTP Server and the IRC bot iroffer are very common as well. This task is made easier by users who when prompted for an administrator password when installing NT/2000/XP leave it blank. Please set a password on every account on your machine, if not for the security of your machine, then for the security of all our machines.

A worm called "Zotob" that takes advantage of the MS05-039 vulnerability relies on NULL sessions to propagate. Follow the instructions in the next section to protect yourself (and of course apply all operating system patches).

Below are instructions on how to manually disable NetBIOS NULL sessions:

Note, disabling NULL sessions will allow you to have a much more secure computer, however it could break certain legacy software applications.

1. Go to Start --> Control Panel --> Network and Sharing Center --> Connections:(whatever network you are connected to; ex. "Local Area Connection") --> Properties --> Internet Protocol Version 4 (TCP/IPv4) --> Advanced... --> WINS --> Disable NetBIOS over TCP/IP --> OK

1. Set the Following Registry Key: HKLM/System/CurrentControlSet/Control/LSA/RestrictAnonymous=2
2. Reboot to make the changes take effect.

1. Go to Administrative Tools --> Local Security Policy --> Local Policies --> Security Options. Make sure the following two policies are enabled:
   Network Access: Do not allow anonymous enumeration of SAM accounts: Enabled (Default)
   Network Access: Do not allow anonymous enumeration of SAM accounts and shares: Enabled
   
   
   This can also be accomplished using the following registry keys:
   HKLM\System\CurrentControlSet\Control\Lsa\RestrictAnonymous=1 (This disallows enumeration of shares)
   HKLM\System\CurrentControlSet\Control\Lsa\RestrictAnonymousSAM=1 (Default, not allowing enumeration of user accounts)
   
   
2. Reboot to make the changes take effect.

1. Go to --> Administrative Tools --> Local Security Settings --> Local Policies --> Security Options
2. Select "Additional restrictions of anonymous connections" in the Policy pane on the right
3. From the pull down menu labeled "Local policy setting", select: "No access without explicit anonymous permissions"
4. Click OK
5. The registry setting equivalent is: HKLM\System\CurrentControlSet\Control\Lsa\RestrictAnonymous=2
6. Reboot to make the changes take effect.