Null Sessions

Sometimes a call arriving on the null session can appear like an authenticated call. Specifically, calling the RpcBindingInqAuthClient function returns the authentication level and security provider used for the call. This operation does not mean the call was not on a null session. The two issues are orthogonal. On Microsoft Windows 2000, a remote procedure call can attempt to impersonate a caller and check the permissions after impersonation. On Microsoft Windows XP, it is faster to call the RpcServerInqCallAttributes function and check for the NullSession flag.

Another relevant difference exists between Windows 2000 and Windows XP. If only the RPC_IF_ALLOW_SECURE_ONLY flag is specified, calls on the null session go through in Windows 2000. In Windows XP, with the general tightening of default security settings, when this flag is specified, calls on the null session are rejected with access denied. However, even with the RPC_IF_ALLOW_SECURE_ONLY flag, RPC does not guarantee the privilege level of the calling user. All RPC checks is that the user has valid credentials. It is possible that the calling user is using the guest account or other low privileged accounts. Make sure the server does not assume high privilege once RPC_IF_ALLOW_SECURE_ONLY is used.