You try to connect to a Microsoft Windows XP Service Pack 2 (SP2)-based client computer by using the following Microsoft Systems Management (SMS) 2003 Remote Tools command:
remote.exe /SMS:NoSQL
However, you receive the following error message:
Remote Tools: Security rights to run Remote Tools on this client have
been denied.
You can connect if you use this command without the
/SMS:NoSQL switch.
When you use the
remote.exe command together with the
/SMS:NoSQL switch, the system tries to connect to the IPC$ share of the
client computer by using a NULL session. The remote.exe process then tries to connect to the server service
by using a named pipe to issue the
NetServerGetInfo API call. The advanced security
features for Windows XP SP2 do not let you connect to the server service named pipe
from a NULL session.
To work around this issue, use one of the following methods.
Method 1
If you know the site code or the database server name, use
the
remote.exe command without the
/SMS:NoSQL switch.
You will then be prompted to manually enter the site code or the database server name.
Method 2
If you must use the
/SMS:NoSQL switch, create an authenticated session to the
client computer before you run the
remote.exe command. To create an authenticated session, type
net use \\client computer name\IPC$ at a command prompt, and then press ENTER. This generates a connection to
the client computer by using the logged-on user's credentials.
Note Alternatively, another set of credentials can be passed in the command
line.
The remote.exe process will use the authenticated session to connect to the named
pipe.
Note You can also map a drive to a network share before you start the remote.exe process. Or, you can locate a shared
resource on the client computer before you start the remote.exe process. These approaches will have the same outcome as
mapping to the IPC$ share on the client.
Method 3
Important These steps may increase your security risk. These steps may also make your computer or your network more vulnerable to attack by malicious users or by malicious software such as viruses. We recommend the process that this article describes to enable programs to operate as they are designed to, or to implement specific program capabilities. Before you make these changes, we recommend that you evaluate the risks that are associated with implementing this process in your particular environment. If you choose to implement this process, take any appropriate additional steps to help protect your system. We recommend that you use this process only if you really require this process.
Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall your operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk. You can enable named pipes to the server service
through null sessions by using one of the following methods.
Note You do not have to restart the client computer to apply these changes. However, these changes will be applied as long as the registry change or the local security policy is
applied.
- Edit the registry of the client computer. To do this follow these steps:
- On the client computer, open Registry Editor, and then expand the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver
- Click parameters, and then double-click NullSessionPipes.
- In the Edit Multi-String dialog box, add SrvSvc to the list by typing SrvSvc on a new line.
- Click OK, and then close Registry Editor.
- Modify the local security policy. To do this, follow these steps:
- On the client computer, click Start, click Run, type secpol.msc in the Open box, and then click OK.
- In the Local Security Settings window, expand Local Policies, and then click Security Options.
- In the results pane, double-click Network Access: Shares that can be
accessed anonymously.
- In the Local Policies Settings dialog box, add SrvSvc to the list by typing SrvSvc on a new line.
- Click OK, and then close the Local Security Settings window.
- Click Start, click Run, type gpupdate.exe in the Open box, and then click OK.
Note When you remove the SrvSvc entry from the policy, this does not remove the registry entry after the registry entry has been added.
.
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.
If the
RestrictAnonymous parameter is enabled in the registry or in Group Policy, you may experience the behavior that is discussed in the "Symptoms" section when you try to connect to the following types of client computers:
- Microsoft Windows NT 4.0 servers and workstations
- Microsoft Windows 2000 servers and workstations
- Microsoft Windows
Server 2003 servers
- Windows XP workstations
Unless the RestrictAnonymous registry entry or the Group Policy setting or is changed, you cannot connect to the client by using the
remote.exe/SMS:NoSQL command. Additionally, method 3 in the "Workaround" section will not work if the RestrictAnonymous registry entry on
the client computer is set or if the RestrictAnonymous Group Policy has been implemented.
However, methods 1 and 2 will still work, because these methods do not use a NULL session.