Creating a Null Session Share

If you are using an administrative installation point or a network install for Microsoft Office updates in BES, you will need to setup a "null session share", which will allow the BES Client computers (which run as the SYSTEM user) to access the computer hosting the shared files. If the shared files are on a computer with the NTFS file system, you will also need to make sure that "EVERYONE", "NETWORK", or "ANONYMOUS LOGON" has NTFS "read" permissions. Null session shares can only be set up on Windows NT+ computers and will not work on Win9x/WinME.

Setting up a null session share on an NT-based machine

  1. On the computer that you are using to host the files, share the folder with the administrative installation point or the Office CD and remember its share name. (Make sure "Everyone" or "Authenticated Users" has full permissions on the share.)
  2. From the Start menu, Run the program "regedt32".
  3. In the Registry Editor window, find the "HKEY_LOCAL_MACHINE on Local Machine" window.
  4. Navigate to "HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Services/lanmanserver/parameters."
  5. Open the multi string value "NullSessionShares" and add the share name from the folder you selected in Step 1. This value should be entered on a new line in the registry value.
  6. Close the Registry Editor window.
  7. Under Administrative Tools, select Services.
  8. Right-click the "Server" service and select Restart to restart the service.

    Note: If the computer that is hosting the shared files has the value "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\RestrictAnonymous" set to 1 or 2, then the BES Clients will not be able to access the shared files. You will need to set the RestrictAnonymous value to 0 to allow the BES Clients access to the shared files.

If the system where you are creating the null session share is running Windows 2003 Server, you will also need to enable the Group Policy "Network access: Let Everyone permissions apply to anonymous users". You can do this by:

  1. Start menu
  2. Run
  3. gpedit.msc
  4. Drill down to the following location:Local Computer Policy\Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
  5. Double click on "Network access: Let Everyone permissions apply to anonymous users"
  6. Select "Enable" and press Enter

If the system where you are creating the null session share is running Windows 2008 Server, you will also need to enable the "Network access: Shares that can be accessed anonymously". You can do this by:

  1. Start menu
  2. Run
  3. gpedit.msc
  4. Drill down to the following location:Local Computer Policy\Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
  5. Double click on ""Network access: Shares that can be accessed anonymously"
  6. Add the share name from the folder you selected in Step 1



To test your setup, you can use the "net use" command to connect to your resource using an anonymous login and null password (simulating what the BES Client process will be doing). From a command prompt, execute the following:

net use \\servername\sharename "" /user:""

(Where "\\servername\sharename" is replaced by the UNC of the null share.)

If you already have a connection to the server, you will have to clear the connection to the server prior to executing the above command, or it will instead attempt to map the device using the previously successful connection parameters.

The response "The command completed successfully" indicates that the device was mapped successfully, while errors such as "System error 5 has occurred. Access is denied" indicate an immediate failure and you must verify your setup.

If you have successfully mapped the device, you should then attempt to copy files to or from the resource "\\servername\sharename" to ensure you have the access desired.

You are now ready to deploy Office updates through the BES Console. You will be prompted to enter the location of the shared installation point during each patch deployment. Please enter it in the form of \\server_name\sharename.

You may wish to print or bookmark this page for future reference. For further information on null session shares, click here for Microsoft's knowledge base article.