What RestrictAnonymous value is required for complete security against anonymous null sessions?

When a system allows anonymous (null) sessions over SMB, an unauthenticated user can connect and sometimes enumerate accounts, shares, and other information. The RestrictAnonymous setting controls how much information an anonymous user can discover or access. Setting this value to 2 blocks anonymous enumeration of SAM accounts and shares, effectively preventing anonymous users from learning names and paths that could be used to further attacks. This level provides stronger protection against anonymous null sessions compared to 0, which imposes no restrictions, or 1, which still allows some anonymous enumeration. While higher values might exist on some systems, in this context 2 is the effective setting for complete protection against anonymous null session information disclosure.