Microsoft Baseline Security Analyzer

Article ID: A33ABF4CBA6744D5AD72BD574147304B
Sample Event

None

Expand all | Collapse all

Summary

The RestrictAnonymous registry setting controls the level of enumeration granted to an Anonymous user.

Anonymous users can use a variety of information about your system in an attack on your system. For example, the list of user names and share names could help potential attackers identify who is an Administrator, which computers have weak account protection, and which computers share information with the network.

Causes

If RestrictAnonymous is set to 0 (the default setting), any user can obtain system information, including user names and details, account policies, and share names. Anonymous users can use this information in an attack on your system.

Resolutions

To restrict anonymous connections from accessing system information, change the RestrictAnonymous security settings. You can do this through the Security Configuration Manager snap-in. (The setting is defined in Local Policies in the default security templates.) or through the registry editor. In Microsoft® Windows® NT® Server 4.0, you should change the registry setting from 0 to 1 . in Windows® 2000 Server, you should change it from 0 to 1 or 2.

0 - None. Rely on default permissions.

1 - Do not allow enumeration of Security Accounts Manager (SAM) accounts and names.

2 - No access without explicit anonymous permissions. (Not available on Windows NT 4.0 Server.)

Caution

  • We recommend that you do not set this value to 2 on domain controllers or computers running Small Business Server (SBS) in mixed-mode environments (for example, networks running older versions of Windows). In addition, client machines with RestrictAnonymous set to 2 should not take on the role of master browser. For more details on configuring RestrictAnonymous on domain controllers and in Windows® 2000 environments, and to better understand potential compatibility issues when using this setting, refer to the Microsoft Knowledge Base articles that are listed later in this document.

Note

  • In Windows® XP, there is a new EveryoneIncludesAnonymous registry setting that controls whether permissions given to the built-in Everyone group apply to Anonymous users. By default, permissions granted to the Everyone group do not apply to Anonymous users in Windows® XP. This provides the same level of Anonymous user restrictions as the RestrictAnonymous setting in previous Windows operating systems. The EveryoneIncludesAnonymous setting can be configured through the Security Configuration Manager (SCM) snap-in on computers running Windows® XP Professional or through a registry editor. (In SCM, the setting is defined in the Local Policies portion of the security template.) This setting is located in the same registry key as RestrictAnonymous.

External Knowledge Sources

For more information about managing the RestrictAnonymous setting, see:

Related Events

Other Information

Properties

Article ID: A33ABF4CBA6744D5AD72BD574147304B - Last Review: November 10, 2004 - Revision: 1.0
Keywords: 
MOM Management Pack Knowledge

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com