- Product
Product Overview
Sophisticated security with unmatched simplicityCloud SIEM
Pre-configured detections across your environmentHoneypots
Deception technology to detect lateral movementEndpoint Visibility
Real-time monitoring with added detection & responseSecurity Reports
Data visualizations, compliance reports, and executive summariesAutomated Response
Detect, prioritize, and neutralize threats around the clockIntegrations
Cloud, on-prem, and open API connectionsXDR Platform
A complete view to identify risk, and things operational
- Pricing
- Why Blumira
Why Blumira
The Security Operations platform IT teams loveWatch A Demo
See Blumira in action and how it builds operational resilienceUse Cases
A unified security solution for every challengePricing
Unlimited data and predictable pricing structureCompany
Our human-centered approach to cybersecurityCompare Blumira
Find out how Blumira stacks up to similar security toolsIntegrations
Cloud, on-prem, and open API connectionsCustomer Stories
Learn how others like you found success with Blumira
- Solutions
- Partners
- Resources
Null Session
A null session occurs when you log in to a system with no username or password. NetBIOS null sessions are a vulnerability found in the Common Internet File System (CIFS) or SMB, depending on the operating system.
Note: Microsoft Windows uses SMB, and Unix/Linux systems use CIFS.
Once an attacker has made a NetBIOS connection using a null session to a system, they can easily get a full list of all usernames, groups, shares, permissions, policies, services, and more using the Null user account. The SMB and NetBIOS standards in Windows include APIs that return information about a system via TCP port 139.
One method of connecting a NetBIOS null session to a Windows system is to use the hidden Inter-Process Communication share (IPC$). This hidden share is accessible using the net use command.
The “net use” command is a built-in Windows command that connects to a share on another computer. The empty quotation marks (” “) indicate that you want to connect with no username and no password. To make a NetBIOS null session to a system with the IP address 192.21.7.1 with the built-in anonymous user account and a null password using the net use command, the syntax is as follows:
net use \\192.21.7.1 \IPC$ "" /u: ""
Once the net use command has been successfully completed, the attacker has a channel over which to use other hacking tools and techniques.
Disable Null Sessions in Windows For Security
Disabling null sessions is a key way to help you strengthen your organization’s security and reduce your attack surface. Learn How to Disable Null Session in Windows in our security guide from Blumira’s security team.
Detect and respond to Microsoft Windows security threats, including null session attacks by known hacker tools with Blumira’s detection and response platform to gain visibility in your Windows servers.
Frequently Asked Questions
What is a null session in Windows?
A null session is an unauthenticated connection to a Windows system using the IPC$ (Inter-Process Communication) share with no username or password. It exploits the SMB protocol (historically via NetBIOS) to establish a session that can enumerate system information without valid credentials. Historically, null sessions were a default behavior in Windows NT and 2000, allowing anonymous users to list user accounts, group memberships, share names, and security policies. Attackers use null session enumeration as a reconnaissance technique during the early stages of a network compromise, gathering account names and system details before attempting credential attacks.
What are the security risks of null sessions?
Null sessions give an attacker a footmap of your Active Directory environment without needing any credentials. Through a null session, an attacker can enumerate usernames (which they can then target with password spraying or brute force), discover network shares and their permissions, identify domain trust relationships, and pull security policy details like password length requirements and lockout thresholds. This information dramatically reduces the effort needed for lateral movement. In penetration testing, null session enumeration is one of the first techniques attempted because it requires zero authentication and can yield high-value intelligence about the target environment.
How do I detect null session connections?
Null session attempts generate specific Windows Security Event Log entries. Look for Event ID 4624 (successful logon) with Logon Type 3 (network) where the account name is ANONYMOUS LOGON. Event ID 4625 (failed logon) with the same anonymous pattern indicates blocked attempts. Event ID 5140 (network share access) targeting IPC$ with an anonymous source is another indicator. Monitoring these events manually across every system is impractical. A SIEM that ingests Windows Security logs can correlate anonymous logon events with IPC$ share access and alert on the pattern automatically. Blumira ingests Windows event logs and includes pre-built detections for suspicious anonymous authentication activity.
How do I disable null sessions in Windows?
Apply three Group Policy settings to disable null sessions. First, set "Network access: Restrict anonymous access to Named Pipes and Shares" to Enabled. Second, set "Network access: Do not allow anonymous enumeration of SAM accounts" to Enabled. Third, set "Network access: Do not allow anonymous enumeration of SAM accounts and shares" to Enabled. These settings are found under Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options. Apply them via Group Policy Object (GPO) to enforce across all domain-joined systems. After applying, test that legitimate services (printers, older applications) still function, as some legacy systems may rely on anonymous access.
Are modern Windows versions still vulnerable to null sessions?
Windows Server 2016 and later restrict null sessions by default, but the protections are not absolute. The default settings block anonymous enumeration of SAM accounts and shares, which stops the most common enumeration techniques. However, misconfigurations during domain migrations, legacy application compatibility exceptions, and third-party software requirements can re-enable null session access. Organizations that upgraded from older Windows versions may have inherited permissive Group Policy settings. The only way to confirm your environment is protected is to audit the three relevant GPO settings across all domain controllers and member servers, and to actively monitor for anonymous logon events in your security logs.
What can a SIEM tell you about null session activity?
A SIEM correlates null session indicators across your entire Windows environment in real time rather than requiring manual log review on each server. It can identify which systems are being targeted for anonymous enumeration, detect patterns like sequential null session attempts across multiple hosts (indicating automated scanning), and alert when anonymous logon events spike above your environment's baseline. Blumira's 24/7 SecOps team monitors these alerts and can notify you when null session reconnaissance is detected, along with step-by-step response guidance. Without centralized log monitoring, null session enumeration typically goes undetected because the individual events look benign in isolation.
Are null sessions still a real-world risk or just a legacy concern?
Null sessions are primarily a legacy risk, but they remain relevant in environments that have not hardened their Group Policy settings. Organizations running modern Windows Server versions with default configurations are protected against the most common null session enumeration techniques. The real risk is in environments that migrated from older Windows versions and inherited permissive settings, or where legacy application compatibility exceptions re-enabled anonymous access. If your environment is fully hardened and you are monitoring for anonymous logon events, null sessions are a solved problem. If you are unsure whether your GPOs are configured correctly, that uncertainty itself is the risk.