5.1 Security Considerations for Implementers

In general, the browser service operates without any security. It is possible for applications to spoof elections. Additionally, malfunctioning local master browser servers can mount an effective denial-of-service (DOS) attack against the entire browser infrastructure (for example, if a browser server refuses to release the <machine group>[0x1D] name after losing an election).

The browser service uses null sessions to establish a connection to the IPC$ share of the server. Null sessions are simply SMB connections [MS-SMB] that use no password, no domain, and no user ID to establish the connection. This implies that the connection is highly insecure.