Article ID: 246261 - View products that this article applies to.
This article was previously published under Q246261
NoticeThis article applies to Windows 2000. Support for Windows 2000 ends on July 13, 2010. The Windows 2000 End-of-Support Solution Center
(http://support.microsoft.com/?scid=http%3a%2f%2fsupport.microsoft.com%2fwin2000)is a starting point for planning your migration strategy from Windows 2000. For more information see the Microsoft Support Lifecycle Policy
This article describes how administrators can use the RestrictAnonymous registry value on a Windows 2000-based computer to restrict access over anonymous connections.
Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
(http://support.microsoft.com/kb/322756/ )How to back up and restore the registry in Windows
An administrator may configure a Windows 2000-based computer to prevent anonymous log-on access to all resources, with the exception of resources the anonymous user may have explicitly been given access to. To control this behavior, use either of the following methods.
Note If Terminal Server Licensing is running on the Windows 2000-based computer, other servers that have Terminal Services enabled will not be able to request licenses from it.
Local Security Policy MMC snap-in
RestrictAnonymous registry valueUse Registry Editor to view the following registry key, and then add the following value to this key, or modify it if the value already exists:
Value Type: REG_DWORD
Value Data: 0x2 (Hex)
Restart the computer after any change to the RestrictAnonymous key in the registry.
When the RestrictAnonymous registry value is set to 2, the access token built for non-authenticated users does not include the Everyone group, and because of this, the access token no longer has access to those resources which grant permissions to the Everyone group. This could cause undesired behavior because many Windows 2000 services, as well as third-party programs, rely on anonymous access capabilities to perform legitimate tasks.
For example, when an administrator in a trusting domain wants to grant local access to a user in a trusted domain, there may be a need to enumerate the users in the trusted domain. Because the trusted domain cannot authenticate the administrator in the trusting domain, an anonymous enumeration may be used. The benefits of restricting the capabilities of anonymous users from a security perspective should be weighed against the corresponding requirements of services and programs that rely on anonymous access for complete functionality.
The following tasks are restricted when the RestrictAnonymous registry value is set to 2 on a Windows 2000-based domain controller:
Note Pre-defined "High Secure" security templates set the RestrictAnonymous registry value to 2, and because of this, caution should be used when using these templates. For more information about the RestrictAnonymous registry value, click the following article number to view the article in the Microsoft Knowledge Base:
178640RestrictAnonymous is set by changing the registry key to 0 or 1 for Windows NT 4.0 or to 0, 1, or 2 for Windows 2000. These numbers correspond to the following settings:
(http://support.microsoft.com/kb/178640/ )Could not find domain controller when establishing a trust
0 None. Rely on default permissions
1 Do not allow enumeration of SAM accounts and names
2 No access without explicit anonymous permissions
Article ID: 246261 - Last Review: March 2, 2007 - Revision: 5.5