Windows NT and 2000 have this problem which can be serious. Example: C:\>net use \\192.168.###.###\IPC$ "" /u:"" The preceding syntax connects to the hidden interprocess communications "share' (IPC$) at IP address 192.168.###.### as the built-in anonymous user (/u:"") with a null (“”) password. If successful, the intruder now has an open channel over which to attempt various techniques which allow him/her to gather as much information as possible from the target i.e. network information, shares, users, groups, registry keys, and so on. Null session connections, or anonymous logons, can be the single most devastating network foothold sought by intruders.

Note:
This fix is known to break "Trusts" in Windows NT and Windows 2000 machines. There are also some questions about it killing print queues and network backups. There is no definitive list of what will and will not work relative to your environment.

Null Session Countermeasure:

Null sessions require access to TCP 139 (and/or 445 on Win 2000). The most prudent way to eliminate them is to filter TCP and UDP ports 139 and 445 at all perimeter network access devices (firewalls). You could also disable SMB services entirely on individual NT hosts by unbinding WINS Client (TCP/IP) from the appropriate interface using the Network Control Panel's Bindings tab. This can be accomplished in Win 2000 by unbinding File and Print Sharing for Microsoft Networks from the appropriate adapter under the Network and Dialup Connections applet, Advanced, Advanced Settings.

Following NT Service Pack 3, Microsoft provided a facility to prevent enumeration of sensitive information over null sessions without the radical surgery of unbinding SMB from network interfaces (recommended unless SMB services are necessary) It's called RestrictAnonymous, after the Registry key that bears that name:

1. Open regedt32, and navigate to HKLM\SYSTEM\CurrentControlSet\Control\LSA.
2. Choose Edit I Add Value and enter the following data: Value Name: RestrictAnonymous Data Type: REG-DWORD Value: 1 (or 2 on Win 2000)
3. Exit the Registry Editor and restart the computer for the change to take effect.

On Windows 2000 The Security Policies MMC snap-in provides a graphical interface to the many security-related Registry settings (i.e.,RestrictAnonymous) that need to be configured manually under NT4. These settings can be applied at the Organizational Unit (OU), site, or domain level where they can be inherited by all child objects in Active Directory if applied from a Win 2000 domain controller. This requires the Group Policy snap-in.

Setting RestrictAnonymous to 1 does not actually block anonymous connections. However, it does prevent most of the information leaks available over the null session, primarily enumeration of user accounts and shares. Some enumeration tools and techniques will still extract sensitive data from remote systems even if RestrictAnonymous is set to 1.

To completely restrict access to null session information on Win 2000 systems, set the Additional Restrictions For Anonymous Connections policy key to "No Access Without Explicit Anonymous Permissions". (This is equivalent to setting RestrictAnonymous equal to 2 in the Win 2000 Registry.) Setting RestrictAnonymous equal to 2 prevents the Everyone group from being included in anonymous access tokens. This setting may cause connectivity problems for third-party products and/or older Windows platforms. ( See Microsoft KB article Q246261 for more details.) It effectively blocks null sessions from being created:

C:\>net use \\mgmgrand\ipc$ “” /u:””
System error 5 has occurred.
Access is denied.

For more information on RestrictAnonymous, search Microsoft's Knowledge Base for Article Q143474. For more technical details, see "CIFS: Common Insecurities Fail Scrutiny" or RFCs 1001 and 1002, which describe the NetBIOS over TCP /UDP transport specifications.