Hi Bill.
Thanks for digging!
) It is a very interesting reading and now I have
more insight to its meaning. I saw that the value 2 is just to be used in a
"pure" Win2000 environments so I see now because of what you have so kindly
found out that XP Pro is safer by default.
This is really something I have tried to find out for month after having
several anonymous logon's from usernames I never heard about and thanks to
MS AntiSpy's message and my posting about it I have no been taught about how
to handle this because so much other things about to harden my PC have I
learned along the way. I have one thing though that I must ask...if I enable
the "Do not allow anonymous enumeration of SAM accounts and shares" then it
should be the right thing to do if I want to harden my PC even more? or am I
getting it wrong? Thanks very much.
Gunilla.
"Bill Sanderson" <
[email protected]> skrev i meddelandet
Gunilla said:
This bears out my recollection that 2 isn't needed for XP--but let me see if
I can get a better reference.
Here's the full text of the MBSA information for this setting:
--------------------------------------------
Restrict Anonymous Users
Issue
The RestrictAnonymous registry setting controls the level of enumeration
granted to an anonymous user. If RestrictAnonymous is set to 0 (the default
setting), any user can obtain system information, including: user names and
details, account policies, and share names. Anonymous users can use this
information in an attack on your system. The list of user names and share
names could help potential attackers identify who is an administrator, which
computers have weak account protection, and which computers share
information with the network.
Solution
To restrict anonymous connections from accessing this system information,
change the RestrictAnonymous security settings. You can do this through the
Security Configuration Manager snap-in (the setting is defined in the Local
Policies portion of the default security templates) or through a registry
editor. You can change the registry setting from 0 to 1 in Microsoft®
Windows NT® 4.0, or from 0 to 1 or 2 in Windows® 2000:
0 - None. Rely on default permissions.
1 - Do not allow enumeration of Security Accounts Manager (SAM) accounts and
names.
2 - No access without explicit anonymous permissions (not available on
Windows NT 4.0).
Caution
Before you set this value to 2, see article 246261, "How to Use the
RestrictAnonymous Registry Value in Windows 2000." We recommend that you do
not set this value to 2 on domain controllers or computers running Small
Business Server (SBS) in Mixed-Mode environments (for example, networks with
downlevel clients). In addition, client machines with RestrictAnonymous set
to 2 should not take on the role of master browser. For more details on
configuring RestrictAnonymous on domain controllers and in Windows 2000
environments, and to better understand potential compatibility issues when
using this setting, refer to the Microsoft Knowledge Base articles that are
listed later in this document.
Note
In Windows XP, there is a new EveryoneIncludesAnonymous registry setting
that controls whether permissions given to the built-in Everyone group apply
to anonymous users. By default, permissions granted to the Everyone group do
not apply to anonymous users in Windows XP. This provides the same level of
anonymous user restrictions as the RestrictAnonymous setting in previous
Windows operating systems. The EveryoneIncludesAnonymous setting can be
configured through the Security Configuration Manager snap-in (the setting
is defined in the Local Policies portion of the security template) on
Windows XP Professional systems or through a registry editor. This setting
is located within the same registry key as RestrictAnonymous. For registry
path information, see the following Knowledge Base articles.
--------------------------------------------------------------------------------------
XP by default is safer than 2000 or NT.
You notice there is no mention of using the 2 setting for XP.
----------------------------------------------------------------------------------------
Here's some information from the group policy section of the XP resource
kit--no hits on restrictanonymous, but here are the additional and changed
settings that make it safer than Windows 2000 in this area:
-------------------------------------------------------------
Allow anonymous SID/Name translation. Makes it possible for anonymous users
to translate SIDs into user names and user names into SIDs. This policy is
disabled by default.
Do not allow anonymous enumeration of SAM accounts. Prevents anonymous users
from generating a list of accounts in the SAM database. This policy is
enabled by default.
Do not allow anonymous enumeration of SAM accounts and shares. Prevents
anonymous users from generating a list of accounts and shares in the SAM
database. This policy is disabled by default.
Do not allow Stored User Names and Passwords to save passports or
credentials for domain authentication. Prevents Stored User Names and
Passwords from saving passport or domain authentication credentials after a
logon session has ended. This policy is disabled by default.
Sharing and security model for local accounts. Allows you to choose between
the Guest only security model or the Classic security model. In the Guest
only model, all attempts to log on to the local computer from across the
network will be forced to use the Guest account. In the Classic security
model, users who attempt to log on to the local computer from across the
network authenticate as themselves. This policy does not apply to computers
that are joined to a domain. Otherwise, Guest only is enabled by default.
Let Everyone permissions apply to Anonymous users. Restores Everyone
permissions to users logging on anonymously. In Windows 2000, Anonymous
logons received Everyone permissions by default. This default behavior was
removed in Windows XP Professional.
---------------------------------------------------
