RestrictAnonymous

[Josh]

Does anyone have experience with the RestrictAnonymous
registry key? We are looking at moving from 0 to 1 on our
Win2k Domain, however, we are concerned that our trust
with a remote NT4 domain is going to "blow up" to put it
mildly. Anyone have any experience with this?

 

[Dmitry Kulshitsky]

We moved to "5" and got the problems with the NAS box
which has Linux as it's own operating system but which
exposes itself as NT4 box. After that we had to move
to "2" to have this problem fixed. So I assume "1"
wouldn't break your NT4 domain authentication.

 

[Steven L Umbach]

Hi Josh. I have not personally tried it but see KB article below for details
for ramifications of. My understanding is that it should work, but
definitely not setting 2. --- Steve

http://support.microsoft.com/?kbid=246261

 

[Happy_Go_Lucky]

Dmitry,

I didn't know that "5" was a valid setting for Restrict
Anonymous...? I thought that the only valid settings
were "1", "2", and "3"...?

What does settings 4 & 5 do?

Thanks

HGL

 

[Karl Levinson [x y] mvp]

Unless I'm mistaken, 0, 1 and sometimes 2 are the only valid settings I'm
aware of. 2 only exists on Windows 2000. NT and XP only has 0 and 1. XP
also has a second, not very well documented registry value called
RestrictAnonymousSam. For information on it, don't bother trying to search
the Microsoft site, it hasn't been there for over two years, last time I
checked. Instead, I have always had to search www.google.com for
"restrictanonymoussam" and go to third party sites to get sparse and
sometimes conflicting information. Possibly an article on that has been
added in the past few months, but I've been complaining about that lack of
documentation with basic security features in their flagship desktop OS for
over a year. Go figure.

 

[Carrie Garth \(MVP\)]

<SNIP> XP also has a second, not very well documented registry value called
RestrictAnonymousSam. For information on it, don't bother trying to search
the Microsoft site, it hasn't been there for over two years, last time I checked.
<SNIP> Possibly an article on that has been added in the past few months <SNIP>

Searching for RestrictAnonymousSam (no other "options" selected) using the
Microsoft_com Advanced Search Web Site
http://search.microsoft.com/search/search.aspx?st=a&View=en-us
returns the following hit:

TechNet Home | Security | Security Topics | Hardening Systems and Servers -
Checklists and Guides | Threats and Countermeasures Guide:
Chapter 5 - Security Options
http://www.microsoft.com/technet/tr...chnet/security/topics/hardsys/TCG/TCGCH05.asp

< BEGIN QUOTE>

Network access: Do not allow anonymous enumeration of SAM accounts

The Network access: Do not allow anonymous enumeration of SAM accounts setting
determines what additional permissions will be granted for anonymous connections to
the computer.

Windows allows anonymous users to perform certain activities, such as enumerating the
names of domain accounts and network shares. This is convenient, for example, when an
administrator wants to grant access to users in a trusted domain that does not
maintain a reciprocal trust. By default, an anonymous user has the same access that
is granted to the Everyone group for a given resource.

Note This setting has no impact on domain controllers.

In Windows 2000, a similar setting called Additional Restrictions for Anonymous
Connections managed a registry value called RestrictAnonymous, located in the
HKLM\SYSTEM\CurrentControlSet\Control\LSA registry key. In Windows Server 2003, the
policies called Network access: Do not allow anonymous enumeration of SAM accounts
and Network access: Do not allow anonymous enumeration of SAM accounts and shares
replace the Windows 2000 setting. They manage registry values called
RestrictAnonymousSAM and RestrictAnonymous respectively, both located in the
HKLM\System\CurrentControlSet\Control\Lsa\ registry key.

The possible values for this Group Policy setting are:

Enabled
Disabled
Not defined

Vulnerability
An unauthorized user could anonymously list account names and use the information to
attempt to guess passwords or perform social engineering attacks. Social engineering
is a hacker term for tricking people into revealing their password or some form of
security information.

Countermeasure
Configure Network access: Do not allow anonymous enumeration of SAM accounts to
Enabled.

Potential Impact
It will be impossible to establish trusts with NT 4.0 - based domains. This setting
will also cause problems with down - level clients such as Windows NT 3.51 and
Windows 95 that are trying to use resources on the server.

< END QUOTE>