Null Session - What it is, why it’s risky, and how to disable anonymous access

Null Session

What it is

A null session is a network connection made without a username or password. On older Windows setups, an anonymous user can connect to special shares like IPC$ to list users, groups, and shared folders or talk to services that use named pipes and RPC.

Why it matters

Even though no files are stolen directly, null sessions give attackers a map of your network - who exists, what shares are open, and where to try passwords next. That reconnaissance speeds up phishing, brute force, and lateral movement.

How it works - quick tour

  • Connects to a host’s IPC$ share with blank credentials.

  • Uses SMB/RPC to enumerate users, groups, and shares.

  • Feeds that intel into password spraying or targeted attacks.

Red flags

  • Anonymous or “Anonymous Logon” entries in security logs.

  • Unexpected access to IPC$ on servers or desktops.

  • Tools that rapidly list accounts and shares from one source IP.

Prevent it

  • Disable SMB1 and keep Windows fully updated.

  • Set policies to restrict anonymous access to named pipes and shares.

  • Limit or remove the IPC$ exposure on hosts that do not need it.

  • Use a host-based firewall to allow SMB only from trusted subnets.

  • Enforce strong passwords and MFA for admin access.

  • Monitor for Event ID 4624 with Logon Type 3 showing Anonymous Logon and alert on repeated hits.

    Glossary (A–Z)

    All A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

      • Related Articles

      • Data Execution Prevention

        What it is Data Execution Prevention (DEP) is a Windows safety net that stops code from running in places it shouldn’t—like the stack or heap. If malware tries to execute from those memory areas, Windows blocks it and shuts the app down instead of ...

      • Session Hijacking

        What it is Session hijacking is when an attacker steals your “logged-in” state - the cookie or token that proves you’re you - and uses it to act as you without knowing your password. They might grab it over a weak or fake Wi-Fi, from a infected ...

      • NDR (Network Detection And Response)

        What it is Network Detection and Response (NDR) watches live network traffic to spot and investigate suspicious behavior in real time. Instead of relying on signatures, it analyzes patterns and anomalies to catch threats moving across your ...

      • EDR (Endpoint Detection and Response)

        What it is EDR is your always-on security team for laptops and servers. It watches what’s happening on each device, spots attacks in progress, and helps you respond fast - quarantine, investigate, and clean up. For details on capabilities and use ...

      • Local Area Network (LAN)

        What it is A Local Area Network (LAN) connects computers and devices in a small area like a home, office, or school. Devices talk to each other through ethernet cables or Wi-Fi, sharing files, printers, and internet access. Why it matters A good LAN ...