Event Source: LsaSrv
Event Category: None
Event ID: 6033
Computer: <Computer Name>
An anonymous session connected from <Computer Name> has attempted to open an LSA policy handle on this machine. The attempt was rejected with STATUS_ACCESS_DENIED to prevent leaking security sensitive information to the anonymous caller.
The application that made this attempt needs to be fixed. Please contact the application vendor. As a temporary workaround, this security measure can be disabled by setting the
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\TurnOffAnonymousBlock DWORD value to 1.
- The instance of SQL Server is installed on a computer that is running Microsoft Windows Server 2003.
- The computer that is running the instance of SQL Server is a member server in a domain.
- The HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\TurnOffAnonymousBlockregistry value is either missing or is not set to 1.
- The Network Access: Allow anonymous SID/Name translation security option on the computer that is running the instance of SQL Server is not enabled.
To work around this problem, follow these steps on the computer that is running Windows Server 2003 to allow anonymous connections to SQL Server 2000 or to SQL Server 2005:
- Enable the Network Access: Allow anonymous SID/Name translation security option in Local Security Policy. To do this, follow these steps:
- Click Start, and then click
- Double-click Administrative Tools, and then double-click Local Security Policy.
- In the left pane, expand Local Policies, and then click Security Options.
- In the right pane, under the Policy column, locate and then double-click Network Access: Allow anonymous SID/Name translation.
- In the Network Access: Allow anonymous SID/Name translation dialog box, click the Enabled option, and then click OK.
- Close the Local Security Settings window.
- Close the Administrative Tools window.
- Click Start, and then click
- Set the TurnOffAnonymousBlock DWORD registry value to 1. To do this, follow these steps.
Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:322756 How to back up and restore the registry in Windows
- Click Start, click
Run, type regedit, and then click
- In Registry Editor, locate and then click the
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa registry key.
- In the right pane, locate and then double-click the
TurnOffAnonymousBlock DWORD registry value.
Note If the TurnOffAnonymousBlock DWORD registry value does not exist, you must create the registry value.
- In the Edit DWORD Value dialog box, type 1 in the Value data box, and then click OK.
- Close Registry Editor, and the restart the computer. A restart is required for the registry changes to take effect.
- Click Start, click
TurnOffAnonymousBlock registry key to control the anonymous connection attempts. Therefore, if your instance of SQL Server is installed on a domain controller that is running Windows Server 2003, the anonymous connection attempts to the instance of SQL Server do not fail.
Important We do not recommend allowing anonymous access to SQL Server. All permissions that are granted to the NT AUTHORITY\ANONYMOUS LOGON login can be used by any user who can connect to the computer that is running SQL Server. If you must allow anonymous access to your instance of SQL Server, we recommend that only read permissions are granted to the NT AUTHORITY\ANONYMOUS LOGON login to view the SQL Server data that you want to be publicly viewable. Additionally, we recommend that only Execute permissions are granted to the SQL Server stored procedures that perform limited operations.
Instead of allowing the anonymous connections to your instance of SQL Server, you can grant the required access to a specific SQL Server account and pass the logon credentials for the SQL Server account in the connection string in the ASP.NET page. Using SQL Server authentication avoids the anonymous connection attempts to the instance of SQL Server and is more secure.
If the Network Access: Allow anonymous SID/Name translation security option is enabled on the computer that is running Windows Server 2003, all the users who can make a network connection to the computer can look up the account names for any known security identifications (SID), such as the Administrator account. A malicious attacker may use this information to connect to the server by using a method such as password guessing or to lock out the accounts with failed login attempts.
If you set the value of the TurnOffAnonymousBlock registry value to 1, the anonymous connections can open a handle to the policy for the Local Security Authority. For more information about the LSA Policy, visit the following MSDN Web sites:
Article ID: 839569 - Last Review: Feb 12, 2009 - Revision: 1