M100292: Configuring deployment shares as Null shares for access by NT / 2000 / XP managed devices

Summary

Installation and configuration events on NT/2000/XP computers run under the SYSTEM account. For machines that are not authenticated within the domain (e.g. members of the Domain Computers security group), distribution location shares must be set up as Null shares so that the SYSTEM account is able to read and download package and configuration files. A utility is supplied as an attachment to assist in setting Null shares.

Affected Releases:

Applies to all Windows platforms from NT 3.5 onward (Null shares are default on NT 3.1).

 

The ManageSoft services running on NT/2000/XP managed devices, run under the SYSTEM account. This enables them to have full control over the local machine. When installation events for packages, configuration events for policy, upload/download settings, and schedule updates occur, they run under the SYSTEM account. Each of these events attempts the download of package or configuration data from a distribution location.

If the distribution location consists of a file share, the server hosting the share will require authentication from whatever is requesting access. However, when a process running under the SYSTEM account attempts to connect to a share, the process tries to connect with a Null credential. By default, Windows will deny access to the share.

 

To set up the ManageSoft distribution location share as a Null share, use regedt32.exe to edit the following Registry key on the distribution server hosting the distribution location:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services \LanmanServer\Parameters\NullSessionShares 
Add the name of the share on a new line.

 

Note: Because this key is a multi-line string, regedt32.exe is preferred over regedit.

 

For Windows 2000 computers, also locate the following key in the Registry:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control \LSA\RestrictAnonymous 
Set this value to 0.

For further information, see the following Microsoft KB articles.

  • For NT 3.5 to 4.0: 
    http://support.microsoft.com/default.aspx?scid=kb;en-us;Q122702
  • For Windows 2000: 
    http://support.microsoft.com/default.aspx?scid=kb;en-us;Q289655

To assist in setting these values on shares, a utility has been created. This has been included as an attachment to this article. It is a single executable.

Use this utility on a command line, with the following syntax:

CreateKey -s sharename <-s sharename> -r 
-s identifies the share name. Multiple shares may be set at once by including a -s switch before each sharename. 
-r switch turns off RestrictAnonymous access.

 

Comments

Powered by Zendesk