Everyone group does not include anonymous security identifier

In Microsoft Windows XP and in Microsoft Windows Server 2003, the Everyone group does not contain the security identifier (SID) "Anonymous." Therefore, users or services that attempt to access an object anonymously are not granted access if the access control list (ACL) on the object includes the Everyone group. Anonymous access is only granted for objects whose ACL explicitly contains the anonymous SID.

On computers that are running Windows, ACLs and SIDs control access to resources. Each resource has an ACL that contains the SIDs of all users and groups that have been granted or denied access to the resource.

When users log on to a computer that is running Windows, either interactively or over a network, they are issued an access token that contains the SIDs of their user account, and of all the security groups that the user account is a member of. When the user attempts to access a resource, Windows checks the SIDs in the user's access token against those in the resource's ACL. If the SIDs match, the user is granted access to the resource that is specified in the ACL. If the SIDs do not match, the user is denied access.

Anonymous users (users or services that access resources over a network connection by using a null user account name, domain and password) are automatically added to the Anonymous Logon built-in security group. In earlier versions of Windows, members of the Anonymous Logon security group are able to access many resources. In some cases, if administrators are not aware that members of the Anonymous Logon security group are included as members of the Everyone security group, anonymous users may be granted access to resources that are only intended for authenticated users.

In Windows XP and later, the Anonymous Logon security group has been removed from the Everyone security group. This modification helps to limit the number of network resources that are available by default to anonymous users, and to simplify network administrators' control of anonymous user access. Because the Everyone group no longer includes anonymous users, it is easier for administrators to configure a secure system for the following reasons:

• The default ACLs on earlier versions of Windows (particularly Windows NT 4.0) that enable the Everyone security group to access resources, and potentially expose the site to attack, do not grant access to anonymous users after the computer is upgraded to Windows XP.
• Anonymous users are not granted access to resources that the administrator is unaware of.
• Anonymous users can be explicitly granted access to specific resources through the clearly named Anonymous Logon security group.

Note This security enhancement is present only on computers that are running Windows XP or later. Therefore, only anonymous users that are attempting to access resources that are hosted on computers that are running Windows XP or later are affected.

Implementation

To implement this security enhancement, you must change the contents of the access token that is generated for anonymous users. In earlier versions of Windows, the access token for anonymous users contained SIDs for:

• The Everyone security group
• The Anonymous Logon security group
• The logon type (usually Network)

In Windows XP and later, the Everyone security group has been removed from the access token for anonymous users. Therefore, the access token for anonymous users contains SIDs for:

• Anonymous Logon
• The logon type (usually Network)

When an anonymous user tries to access a resource on a computer that is running Windows XP or later, the anonymous user is not granted permissions or group memberships that are available to the Everyone security group. The SID for the Everyone security group is present in the anonymous user's access token.

Compatibility with earlier versions of Windows

Windows 2000 introduced a mechanism to change the recommended strict security settings to security settings that granted some anonymous users access to Active Directory objects that are required by services that are running on earlier versions of the operating system. Because of the security enhancement in Windows XP, there is a slight change to the way the Windows 2000 mechanism works.

Windows 2000 introduced stricter default security settings than the security settings that were available in Windows NT 4.0 and earlier versions of the operating system. To be compatible with services that require anonymous access to certain domain data, Windows 2000 provided a way to switch between high-security settings (the preferred configuration when backward compatibility is not required) to backward compatible security settings that grant anonymous users access as it is required by systems running Windows NT 4.0 and earlier versions of Windows.

The Pre-Windows 2000 Compatible Access security group, that was introduced in Windows 2000, controls this security choice. Backward compatibility is achieved on computers that are running Windows 2000 by making the Everyone security group a member of the Pre-Windows 2000 Compatible Access security group. You are able to configure high-security settings by removing all members from the Pre-Windows 2000 Compatible Access group.

On Windows Server 2003 domain controllers, the Everyone group no longer includes Anonymous Logon. Therefore, the backward compatible settings require that both the Everyone and Anonymous Logon security groups are members of the Pre-Windows 2000 Compatible Access group. To satisfy this requirement, use either of the following methods:

• If you promote a computer that is running Windows Server 2003 to a domain controller by using the Active Directory Promotion Wizard (Dcpromo.exe), click Permissions compatible with pre-Windows 2000 servers to add the Anonymous Logon and Everyone security groups to the Pre-Windows 2000 Compatible Access security group.
• If you are upgrading a Windows 2000-based domain controller to Windows Server 2003, the Anonymous Logon security group is added to the Pre-Windows 2000 Compatible Access security group during the upgrade. This occurs if the Everyone security group is already a member of the Pre-Windows 2000 Compatible Access security group (indicating backward compatibility settings).

You can manually switch between the backward compatible and high-security settings on Active Directory objects by updating the membership of the Pre-Windows 2000 Compatible Access security group by using the Active Directory Users and Computers snap-in.

Compatibility with programs that work with Windows 2000

When you upgrade Windows 2000 to Windows XP, resources with ACLs that grant access to the Everyone group (and not explicitly to the Anonymous Logon group) are no longer available to anonymous users after the upgrade. In most cases, this is an appropriate restriction on anonymous access. However, you may need to permit anonymous access to these resources to support pre-existing programs. In this case, you should explicitly add the Anonymous Logon security group to the ACLs on the specific resources.

In some situations, it might be difficult to determine which resource on the computer that is running Windows XP you must grant anonymous access to. It may also be difficult to modify the permissions on all of the necessary resources.

In these situations, you may need to force the computer that is running Windows XP to include the Anonymous Logon security group in the Everyone security group. To support this functionality, Windows XP introduces a new registry value, EveryoneIncludesAnonymous. This value can be used to switch between the default Windows XP behavior (the Everyone security group does not include the Anonymous Logon security group) and the Windows 2000 behavior (the Everyone security group includes the Anonymous Logon security group).

When the access token for an anonymous user is built, if the EveryoneIncludesAnonymous registry value is set to the value of REG_DWORD 0x0, the local security authority (LSA) of the computer that is running Windows XP does not include the SID of the Everyone security group in the anonymous user's access token. This is the default setting.

If the EveryoneIncludesAnonymous registry value is set to the value of REG_DWORD 0x1, the LSA includes the SID of the Everyone security group in the anonymous user's access token.

To set the EveryoneIncludesAnonymous registry value, use either of the following methods.

Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:

• To set the EveryoneIncludesAnonymous registry value by using local security settings:
  1. Click Start, point to Programs, point to Administrative Tools, and then click either Local Security Policy or Domain Security Policy (on domain controllers only).
  2. Click Security Settings, double-click Local Policies, and then click Security Options.
  3. Right-click Let Everyone permissions apply to anonymous users, and then click Properties.
  4. To enable anonymous users to be members of the Everyone security group, click Enabled. To prevent the inclusion of the Everyone security group SID in the anonymous user's access token (the Windows XP default), click Disabled.
• To set the EveryoneIncludesAnonymous registry value by using Registry Editor:
  1. Click Start, click Run, type regedit, and then click OK.
  2. Locate and click the following registry key:
     HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
  3. Right-click EveryoneIncludesAnonymous, and then click Modify.
  4. To enable anonymous users to be members of the Everyone security group, in the Value data box, type 1. To prevent the inclusion of the Everyone security group SID in the anonymous user's access token (the Windows XP default), in the Value data box, type 0.
  5. Quit Registry Editor.

Note This change can affect the following Windows-Based Technologies: Com, Dcom, IIS, Message Queuing, and any other technology where anonymous authentication is frequently employed.