Deny all anonymous

[Bill W.]

Hi,

I want to deny all and/or any anonymous access to any
services, workstations, and clients. Also I don't want to
allow null anything,(pipes, shares, etc.). I have a win2k
advanced netowrk with mixed clients and servers. Clients
are Win98Se, Win2kPro, WinXP Pro. Servers are
Win2kAdvanced, Win2003Standard, WinNT 4.0.

Any info is helpfull. Thank you.

 

[Steven L Umbach]

This is accomplished with a firewall, acls permissions, security options,
and user rights assignments. A firewall is the best way to block access to
null sessions from untrusted networks. For within your network you can
replace the everyone and users group with the authenticated users in acls
and user rights assignments and harden the security option for additional
restrictions for anonymous users to no access without explicit anonymous
permissions. However I would not recommend changing that security option to
setting "2" for a mixed network as you will have problems especially with
password changes [including XP clients] and spotty performance of network
browsing . See the KB link below for the ramifications of restricting
anonymous access to strictest setting and I suggest you read the Windows
2000 Security Hardening Guide for specific recommendations that involve
different network makeups.. --- Steve

http://support.microsoft.com/?kbid=246261
http://tinyurl.com/vgd5

 

[Steven L Umbach]

Just to add other that a firewall, I would not make any changes until you
read the Windows 2000 Security Hardening Guide. You also need to be careful
when modifying the user right assignment for access this computer from the
network on Domain Controller Security Policy. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;823659
http://support.microsoft.com/default.aspx?scid=kb;en-us;257346

This is accomplished with a firewall, acls permissions, security options,
and user rights assignments. A firewall is the best way to block access to
null sessions from untrusted networks. For within your network you can
replace the everyone and users group with the authenticated users in acls
and user rights assignments and harden the security option for additional
restrictions for anonymous users to no access without explicit anonymous
permissions. However I would not recommend changing that security option to
setting "2" for a mixed network as you will have problems especially with
password changes [including XP clients] and spotty performance of network
browsing . See the KB link below for the ramifications of restricting
anonymous access to strictest setting and I suggest you read the Windows
2000 Security Hardening Guide for specific recommendations that involve
different network makeups.. --- Steve

http://support.microsoft.com/?kbid=246261
http://tinyurl.com/vgd5

Hi,

I want to deny all and/or any anonymous access to any
services, workstations, and clients. Also I don't want to
allow null anything,(pipes, shares, etc.). I have a win2k
advanced netowrk with mixed clients and servers. Clients
are Win98Se, Win2kPro, WinXP Pro. Servers are
Win2kAdvanced, Win2003Standard, WinNT 4.0.

Any info is helpfull. Thank you.

 

[Guest]

-----Original Message-----
Hi,

I want to deny all and/or any anonymous access to any
services, workstations, and clients. Also I don't want to
allow null anything,(pipes, shares, etc.). I have a win2k
advanced netowrk with mixed clients and servers. Clients
are Win98Se, Win2kPro, WinXP Pro. Servers are
Win2kAdvanced, Win2003Standard, WinNT 4.0.

Any info is helpfull. Thank you.
.
Go to Control panel -select administated tools than click

computer management-go to advance tab, than delete all
users.

 

[Karl Levinson [x y] mvp]

You won't be able to restrict all anonymous until you get rid of the Win NT
and 98 computers.

It sounds like what you really want to do is increase your security. That's
more than just restricting anonymous. To do so, see here:

http://securityadmin.info/faq.asp#harden

To find out more about netbios null sessions and test your computers to see
what information is available through them, go to www.securityfriday.com
especially the getacct tool Searching www.microsoft.com/support and also
www.google.com for "restrictanonymous" would also get you some additional
information.

Note that the registry settings for null sessions on NT, 2000 and XP are all
different. For NT, RestrictAnonymous should = 1 for the most security
possible [although netbios null sessions are still allowed with that
setting, you just get somewhat less information through them]. For windows
2000, RestrictAnonymous can = 1 or 2, but 2 breaks things with NT and 98.
For XP, RestrictAnonymous cannot = 2, it should probably = 1, but there is a
second registry key called RestrictAnonymousSAM. Documentation on doing
this with XP is very slim, you have to search www.google.com for
"restrictanonymoussam" for more information.