How to use the RestrictAnonymous registry value in Windows 2000
This article was previously published under Q246261
This article applies to Windows 2000. Support for Windows 2000 ends on July 13, 2010. The Windows 2000 End-of-Support Solution Center is a starting point for planning your migration strategy from Windows 2000. For more information see the Microsoft Support Lifecycle Policy.
This article has been archived. It is offered "as is" and will no longer be updated.
This article describes how administrators can use the RestrictAnonymous registry value on a Windows 2000-based computer to restrict access over anonymous connections.
Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
322756 How to back up and restore the registry in Windows
An administrator may configure a Windows 2000-based computer to prevent anonymous log-on access to all resources, with the exception of resources the anonymous user may have explicitly been given access to. To control this behavior, use either of the following methods.
Note If Terminal Server Licensing is running on the Windows 2000-based computer, other servers that have Terminal Services enabled will not be able to request licenses from it.
Local Security Policy MMC snap-in
- Click Start, point to Programs, point to Administrative Tools, and then click Local Security Policy.
Note If you cannot perform this step because "Administrative Tools" does not show up in the Program list, then click Start, point to Settings, point to Control Panel, click Administrative Tools, and then click Local Security Policy. Then proceed to step two.
- Under Security Settings, double-click Local Policies, and then click Security Options.
- Double-click Additional restrictions for anonymous connections, and then click No access without explicit anonymous permissions under Local policy setting.
- Restart the member computer or domain controller for the change to take effect.
RestrictAnonymous registry valueUse Registry Editor to view the following registry key, and then add the following value to this key, or modify it if the value already exists:
Value Type: REG_DWORD
Value Data: 0x2 (Hex)
Restart the computer after any change to the RestrictAnonymous key in the registry.
When the RestrictAnonymous registry value is set to 2, the access token built for non-authenticated users does not include the Everyone group, and because of this, the access token no longer has access to those resources which grant permissions to the Everyone group. This could cause undesired behavior because many Windows 2000 services, as well as third-party programs, rely on anonymous access capabilities to perform legitimate tasks.
For example, when an administrator in a trusting domain wants to grant local access to a user in a trusted domain, there may be a need to enumerate the users in the trusted domain. Because the trusted domain cannot authenticate the administrator in the trusting domain, an anonymous enumeration may be used. The benefits of restricting the capabilities of anonymous users from a security perspective should be weighed against the corresponding requirements of services and programs that rely on anonymous access for complete functionality.
The following tasks are restricted when the RestrictAnonymous registry value is set to 2 on a Windows 2000-based domain controller:
- Down-level member workstations or servers are not able to set up a netlogon secure channel.
- Down-level domain controllers in trusting domains are not be able to set up a netlogon secure channel.
- Microsoft Windows NT users are not able to change their passwords after they expire. Also, Macintosh users are not able to change their passwords at all.
- The Browser service is not able to retrieve domain lists or server lists from backup browsers, master browsers or domain master browsers that are running on computers with the RestrictAnonymous registry value set to 2. Because of this, any program that relies on the Browser service does not function properly.
Note Pre-defined "High Secure" security templates set the RestrictAnonymous registry value to 2, and because of this, caution should be used when using these templates.For more information about the RestrictAnonymous registry value, click the following article number to view the article in the Microsoft Knowledge Base:
178640 Could not find domain controller when establishing a trustRestrictAnonymous is set by changing the registry key to 0 or 1 for Windows NT 4.0 or to 0, 1, or 2 for Windows 2000. These numbers correspond to the following settings:
0 None. Rely on default permissions
1 Do not allow enumeration of SAM accounts and names
2 No access without explicit anonymous permissions
Article ID: 246261 - Last Review: 12/05/2015 17:32:58 - Revision: 5.5
Microsoft Windows 2000 Server, Microsoft Windows 2000 Advanced Server, Microsoft Windows 2000 Datacenter Server
- kbnosurvey kbarchive kbenv kbhowto kbnetwork KB246261