Windows 10 "One or more named pipes or shares have been marked for access by anonymous users" - SMB Server

YouAreHere

New Member
Joined
Oct 3, 2019
I have installed a fresh copy of Windows 10 Home 1903 which was obtained from the Microsoft site.
After installation I noticed these entries in the SMB Server Event Viewer log:

One or more named pipes or shares have been marked for access by anonymous users. This increases the security risk of the computer by allowing unauthenticated users to connect to this server.

Registry Key: HKLM\System\CurrentControlSet\Services\LanmanServer\Parameters
Registry Values: NullSessionPipes, NullSessionShares
Default Value: Empty (or not present)
Current Value: Non-empty

Guidance:

You should expect this event when modifying the default values of NullSessionShares and NullSessionPipes. On a typical file server, these settings do not exist or do not contain values, which is the most secure configuration. By default, domain controllers populate the NullSessionShares entry with netlogon, samr, and lsarpc to allow legacy access methods.

This Event Viewer entry can be found at Applications and Services Logs > Microsoft > Windows > SMB Server > Operational

I went to Control Panel > Programs > Programs and Features > Turn Windows features on or off and removed SMB 1.0 support. This did not stop the activity in the SMB Event Log.

If I look at the XML version of the SMB Event Viewer log it says "EventData xmlns="Smb2Namespace". Does that mean I have SMB version 2.0 installed somewhere on Windows 10?

I added custom outbound rules to the Windows firewall to block ports 137-139 and 445. After doing that the log entries for SMB Server have stopped.

Do you folks also have these SMB Server entries in your Event Viewer?
 
Blocking outbound connections only blocks your systems ability to connect to remote system shares. Inbound would block those connections to your machine.

If it's your only system and you just want to disable the functionality (and yes every system supports SMBv2 and now SMBv3).

To disable smb to your machine you can open services.msc and stop and disable the Server service and to disable outbound smb you can disable the Workstation service
 
I am not an IT person. Would a ”typical” user need to make these changes, or when and why would one want to?


Sent from my iPhone using Tapatalk
 
Most people do not change these settings although if you're not sharing resources between computers on your network it would be a good practice from a security perspective to disable them.
 
Back
Top Bottom