Uses the anonymous, passwordless connection ("NULL session") Enumerates shares, which is also used by WinNT in trusted domains grabs name of the domain administrator, allowing intruder to find the name of the administrator account net use \\host\ipc$ "" /user:"" Install "sec-fix" hotfix or SP3/later. Edit registry key: HKLM\CurrentControlSet\Control\LSA RestrictAnonymous REG_DWORD 1