PRB: Access Denied When Opening a Named Pipe from a Service

ID: Q126645

3.50 3.51 WINDOWS NT kbprg kbprb

The information in this article applies to:

Microsoft Win32 Application Programming Interface (API) included with:
```
    - Microsoft Windows NT versions 3.5, 3.51
```

SYMPTOMS

If a service running in the Local System account attempts to open a named pipe on a computer running Windows NT version 3.5, the operation may fail with an Access Denied error (error 5). This can happen even if the pipe was created with a NULL DACL.

NOTE: For more information about placing a NULL DACL on a named pipe, please see the following article in the Microsoft Knowledge Base:

   ARTICLE-ID: Q102798
   TITLE     : Security Attributes on Objects

CAUSE

In Windows NT version 3.1, a process running in the Local System account could connect to a resource using a Null Session. For security reasons, use of the Null Session is restricted by default on Windows NT version 3.5.

RESOLUTION

You can allow access to a named pipe using the Null Session by adding the pipe name to the following registry entry on the machine that creates the named pipe:

   \HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\ 
      Parameters\NullSessionPipes

The pipe name added to this entry is the name after the last backslash in the string used to open the pipe. For example, if you use the following string to open the pipe:

   \\hardknox\pipe\mypipe

you would add mypipe to the NullSessionPipes entry on the computer named hardknox.

You must either reboot or restart (stop and then start) the Server service for changes in this entry to take effect. Also, the named pipe will still need to have a NULL DACL.

In Windows NT 3.51, by customer request, it is no longer necessary to reboot. Once a named pipe is added to the key listed above, null-session connections to that pipe will immediately be accessible.

This new functionality allows programs to permit null session access to named pipes that do not have names known prior to booting the system.

MORE INFORMATION

Usually, when a session is established between a computer supplying a resource (server) and a computer that wants to use the resource (client), the client is identified and credentials are verified. When a Null Session is used, there is no validation of the client; everyone is allowed access.

If you allow a pipe to be used by a Null Session, you should either:

Verify that the data supplied by the pipe is truly public.
```
    -or-
```
Use an alternative method for verifying clients.

REFERENCES

The "Windows NT Registry Entries" Help file in the Windows NT version 3.5 Resource Kit.

Additional reference words: 3.50 KBCategory: kbprg kbprb KBSubcategory: BseSecurity

Keywords          : kbAPI kbKernBase kbGrpKernBase 
Version           : 3.50 3.51
Platform          : NT WINDOWS

Last Reviewed: October 25, 1996