Restrict anonymous in SBS 2000 running in native mode

[Bob Genestet]

I chose to restrict anonymous access on SBS 2000 after
reading article Q246261 and realizing the risks associated
with doing so. The first problem to occur was users were
unable to change their password. I applied Microsoft
Knowledge Base Article - 258788 fix and resolved the
issue. Next problem was that now I receive error 8002801d
Library not registered.
autoupdate/administration/shared/corporate.inc,line 37 as
the web page when trying to access
http:/myserver/SUSAdmin. The IIS log shows the same error
except the associated file
is /autoupdate/administration/en/default.asp. Microsoft
Knowledge Base Article - 274038 discusses this error and
offers a solution that may or may not fix my problem.
Another article suggested installing the latest MDAC
version. I understand also that the browse master service
will not function correctly after restrict anonymous is
applied. I was willing to risk this by letting another
computer assuming the browse master role and I block
NetBios over my WAN anyway. In a nutshell, is the security
gained by restrict anonymous worth it, how many other
problems are unknown, and can restrict anonymous and the
associated problems be reversed?

 

[Bob Genestet]

Thanks for the lead to some interesting reading. I think
the jury is still out on this one. Supposedly, I have all
the proper fixes to run under Restrict anonymous=2
registry setting referred to in MKBA 246261 and
recommended after running MSBA. There are those running
Restrict Anonymous=1 on SBS2000 without problems, but may
not prove true for all of us. To steal someone's quote
from this newsgroup, "The early bird gets the worm, but
the second mouse gets the cheese", I am returning to
Restrict Anonymous=0 or maybe try 1.

 

[Marina Roos]

You should be able to find more info on www.smallbizserver.net and
www.sbslinks.com about this issue. The MSBA is fine for checking but better
work with hfnetchk.

Marina