G
Guest
This one's rather long and involved - my deepest gratitude to anyone who can
be bothered to read to the end and help!
I am trying to address a security vulnerability in my Windows servers (both
2003 and 2000).
Specifically I am trying to disable Null Netbios sessions.
http://support.microsoft.com/default.aspx?scid=kb;en-us;246261
This can be done per machine using the Local Security Policy editor
(Secpol.msc), however I am trying to apply this via Group Policy (as this
option is available) rather than having to apply it manually to each of my
servers.
The setting within the Local Security Policy editor and the Group Policy
editor has changed from Windows 2000 to Windows 2003/XP so that one of the
'value data' entries which was available with Windows 2000 is no longer
available in 2003/XP.
As my Domain & Forest functional levels are both Windows Server 2003 it is
natural that I should manage Group Policy from the DCs (2003 machines).
What I need to know is what the official Microsoft advice is when trying to
apply a setting to a Windows 2000 machine via Group Policy when the setting
is not available via the Policy editor in Windows 2003.
Details of the differences between W2K and WIN2003 are below:
Windows 2000
Computer Configuration==>Windows Settings==>Security Settings==>Local
Policies==>Security Options
'Additional Restrictions for anonymous connections'
Possible settings for this policy are:
None. Rely on default permissions
Do not allow enumeration of SAM accounts and shares
No access without explicit anonymous permissions
This policy corresponds to the following registry entry:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa==>DWORD:
restrictanonymous
The policy settings change the value data of 'restrictanonymous' as follows:
None. Rely on default permissions==>restrictanonymous=0
Do not allow enumeration of SAM accounts and shares==>restrictanonymous=1
No access without explicit anonymous permissions==>restrictanonymous=2
Windows Server 2003
Computer Configuration==>Windows Settings==>Security Settings==>Local
Policies==>Security Options
Network access: Do not allow anonymous enumeration of SAM accounts and
shares
Possible settings for this policy are:
Enabled
Disabled
This policy also corresponds to the same registry entry:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa==>DWORD:
restrictanonymous
However the policy settings in Windows Server 2003 change the value data of
'restrictanonymous' as follows:
Enabled==>restrictanonymous=1
Disabled==>restrictanonymous=0
So the option to change the DWORD 'restrictanonymous' to a value of 2 is no
longer available via the Group Policy editor in Windows 2003/XP even though
this is a setting recommended by Microsoft for Windows 2000 machines.
Any help greatly appreciated.
PProctor
be bothered to read to the end and help!
I am trying to address a security vulnerability in my Windows servers (both
2003 and 2000).
Specifically I am trying to disable Null Netbios sessions.
http://support.microsoft.com/default.aspx?scid=kb;en-us;246261
This can be done per machine using the Local Security Policy editor
(Secpol.msc), however I am trying to apply this via Group Policy (as this
option is available) rather than having to apply it manually to each of my
servers.
The setting within the Local Security Policy editor and the Group Policy
editor has changed from Windows 2000 to Windows 2003/XP so that one of the
'value data' entries which was available with Windows 2000 is no longer
available in 2003/XP.
As my Domain & Forest functional levels are both Windows Server 2003 it is
natural that I should manage Group Policy from the DCs (2003 machines).
What I need to know is what the official Microsoft advice is when trying to
apply a setting to a Windows 2000 machine via Group Policy when the setting
is not available via the Policy editor in Windows 2003.
Details of the differences between W2K and WIN2003 are below:
Windows 2000
Computer Configuration==>Windows Settings==>Security Settings==>Local
Policies==>Security Options
'Additional Restrictions for anonymous connections'
Possible settings for this policy are:
None. Rely on default permissions
Do not allow enumeration of SAM accounts and shares
No access without explicit anonymous permissions
This policy corresponds to the following registry entry:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa==>DWORD:
restrictanonymous
The policy settings change the value data of 'restrictanonymous' as follows:
None. Rely on default permissions==>restrictanonymous=0
Do not allow enumeration of SAM accounts and shares==>restrictanonymous=1
No access without explicit anonymous permissions==>restrictanonymous=2
Windows Server 2003
Computer Configuration==>Windows Settings==>Security Settings==>Local
Policies==>Security Options
Network access: Do not allow anonymous enumeration of SAM accounts and
shares
Possible settings for this policy are:
Enabled
Disabled
This policy also corresponds to the same registry entry:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa==>DWORD:
restrictanonymous
However the policy settings in Windows Server 2003 change the value data of
'restrictanonymous' as follows:
Enabled==>restrictanonymous=1
Disabled==>restrictanonymous=0
So the option to change the DWORD 'restrictanonymous' to a value of 2 is no
longer available via the Group Policy editor in Windows 2003/XP even though
this is a setting recommended by Microsoft for Windows 2000 machines.
Any help greatly appreciated.
PProctor