Article ID: 278259 - View products that this article applies to.
This article was previously published under Q278259
In Microsoft Windows XP and in Microsoft Windows Server 2003, the Everyone group does not contain the security identifier (SID) "Anonymous." Therefore, users or services that attempt to access an object anonymously are not granted access if the access control list (ACL) on the object includes the Everyone group. Anonymous access is only granted for objects whose ACL explicitly contains the anonymous SID.
On computers that are running Windows, ACLs and SIDs control access to resources. Each resource has an ACL that contains the SIDs of all users and groups that have been granted or denied access to the resource.
When users log on to a computer that is running Windows, either interactively or over a network, they are issued an access token that contains the SIDs of their user account, and of all the security groups that the user account is a member of. When the user attempts to access a resource, Windows checks the SIDs in the user's access token against those in the resource's ACL. If the SIDs match, the user is granted access to the resource that is specified in the ACL. If the SIDs do not match, the user is denied access.
Anonymous users (users or services that access resources over a network connection by using a null user account name, domain and password) are automatically added to the Anonymous Logon built-in security group. In earlier versions of Windows, members of the Anonymous Logon security group are able to access many resources. In some cases, if administrators are not aware that members of the Anonymous Logon security group are included as members of the Everyone security group, anonymous users may be granted access to resources that are only intended for authenticated users.
In Windows XP and later, the Anonymous Logon security group has been removed from the Everyone security group. This modification helps to limit the number of network resources that are available by default to anonymous users, and to simplify network administrators' control of anonymous user access. Because the Everyone group no longer includes anonymous users, it is easier for administrators to configure a secure system for the following reasons:
ImplementationTo implement this security enhancement, you must change the contents of the access token that is generated for anonymous users. In earlier versions of Windows, the access token for anonymous users contained SIDs for:
Compatibility with earlier versions of WindowsWindows 2000 introduced a mechanism to change the recommended strict security settings to security settings that granted some anonymous users access to Active Directory objects that are required by services that are running on earlier versions of the operating system. Because of the security enhancement in Windows XP, there is a slight change to the way the Windows 2000 mechanism works.
Windows 2000 introduced stricter default security settings than the security settings that were available in Windows NT 4.0 and earlier versions of the operating system. To be compatible with services that require anonymous access to certain domain data, Windows 2000 provided a way to switch between high-security settings (the preferred configuration when backward compatibility is not required) to backward compatible security settings that grant anonymous users access as it is required by systems running Windows NT 4.0 and earlier versions of Windows.
The Pre-Windows 2000 Compatible Access security group, that was introduced in Windows 2000, controls this security choice. Backward compatibility is achieved on computers that are running Windows 2000 by making the Everyone security group a member of the Pre-Windows 2000 Compatible Access security group. You are able to configure high-security settings by removing all members from the Pre-Windows 2000 Compatible Access group.
On Windows Server 2003 domain controllers, the Everyone group no longer includes Anonymous Logon. Therefore, the backward compatible settings require that both the Everyone and Anonymous Logon security groups are members of the Pre-Windows 2000 Compatible Access group. To satisfy this requirement, use either of the following methods:
Compatibility with programs that work with Windows 2000When you upgrade Windows 2000 to Windows XP, resources with ACLs that grant access to the Everyone group (and not explicitly to the Anonymous Logon group) are no longer available to anonymous users after the upgrade. In most cases, this is an appropriate restriction on anonymous access. However, you may need to permit anonymous access to these resources to support pre-existing programs. In this case, you should explicitly add the Anonymous Logon security group to the ACLs on the specific resources.
In some situations, it might be difficult to determine which resource on the computer that is running Windows XP you must grant anonymous access to. It may also be difficult to modify the permissions on all of the necessary resources.
In these situations, you may need to force the computer that is running Windows XP to include the Anonymous Logon security group in the Everyone security group. To support this functionality, Windows XP introduces a new registry value, EveryoneIncludesAnonymous. This value can be used to switch between the default Windows XP behavior (the Everyone security group does not include the Anonymous Logon security group) and the Windows 2000 behavior (the Everyone security group includes the Anonymous Logon security group).
When the access token for an anonymous user is built, if the EveryoneIncludesAnonymous registry value is set to the value of REG_DWORD 0x0, the local security authority (LSA) of the computer that is running Windows XP does not include the SID of the Everyone security group in the anonymous user's access token. This is the default setting.
If the EveryoneIncludesAnonymous registry value is set to the value of REG_DWORD 0x1, the LSA includes the SID of the Everyone security group in the anonymous user's access token.
To set the EveryoneIncludesAnonymous registry value, use either of the following methods.
Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
(http://support.microsoft.com/kb/322756/ )How to back up and restore the registry in Windows
Article ID: 278259 - Last Review: February 22, 2007 - Revision: 4.5