You are currently offline, waiting for your internet to reconnect

RestrictAnonymous Access Enabled Lets Anonymous Connections Obtain the Password Policy

This article was previously published under Q129457
This article has been archived. It is offered "as is" and will no longer be updated.
Windows NT 4.0 with Service Pack 3 (SP3) installed provides the capabilityto restrict anonymous users from obtaining system information. For moreinformation, please see the following article in the Microsoft KnowledgeBase:
143474: Restricting Information Available to Anonymous Logon Users
However, with RestrictAnonymous access enabled, anonymous connections areable to obtain the password policy from a Windows NT Server. The passwordpolicy defines the Windows NT domain policy with respect to the minimumpassword length, whether blank passwords are permitted, maximum passwordage, and password history.

Anonymous access to the password policy information is used by Windows NTto provide end-users detailed error information under specificcircumstances. If the user is required to change their password at the nextlogon, and the user enters a new password that is rejected because of thepassword policy, Windows NT can tell the user why the password wasrejected. The password policy is obtained by the system before the user hascompleted the logon and therefore uses an anonymous connection.

For example, assume there is a password policy that requires a minimumpassword length of 8 characters and a history that remembers the last 5passwords. If the user chooses a new password of 6 characters, or enters aprevious password, they see a detailed error message with the followinginformation:
Your password must be at least 8 characters long. Your new password cannot be the same as any of your previous 5 passwords.
Microsoft has a fix available that disables anonymous access to passwordpolicy information when the RestrictAnonymous access is enabled. When thehotfix is applied and RestrictAnonymous is enabled, anonymous connectionscannot obtain password policy information.

Microsoft recommends installing the hotfix on all domain controllers thathave Service Pack 3 installed.

To resolve this problem, obtain the latest service pack for Windows NT 4.0 or Windows NT Server 4.0, Terminal Server Edition. For additional information, click the following article number to view the article in theMicrosoft Knowledge Base:
152734 How to Obtain the Latest Windows NT 4.0 Service Pack

Microsoft has confirmed that this is a problem in Windows NT 4.0 and Windows NT Server 4.0, Terminal Server Edition. This problem was first corrected in Windows NT 4.0 Service Pack 4.0 and Windows NT Server 4.0, Terminal Server Edition Service Pack 4.


If the user performs the same steps outlined in the example above after thehotfix is installed, they receive the following error message:

Your new password does not meet the minimum length or password historyrequirements of the domain.

The user should consult the account administrator to determine the passwordpolicy in effect for their account domain.
4.00 sp3

Article ID: 129457 - Last Review: 10/26/2013 01:32:00 - Revision: 3.0

  • kbnosurvey kbarchive kbhotfixserver kbqfe kbbug kbenv kbfix KB129457