Windows Server 2003 domain controllers let anonymous users resolve a security identifier (SID) to a user name

Support for Windows Server 2003 ended on July 14, 2015

Microsoft ended support for Windows Server 2003 on July 14, 2015. This change has affected your software updates and security options. Learn what this means for you and how to stay protected.

This article has been archived. It is offered "as is" and will no longer be updated.
SYMPTOMS
By default, Windows Server 2003 domain controllers let anonymous users resolve a security identifier (SID) to a user name.

This configuration has security risks. For example, an anonymous user can use the well known Administrators SID to obtain the real name of the built-in Administrator account. This behavior may occur even though the account has been renamed.
CAUSE
This configuration is automatically applied during the Active Directory directory service installation to support compatibility with earlier versions.
RESOLUTION
To avoid the potential risks of the default configuration, follow these steps:
  1. Edit the Group Policy object (GPO) that is linked to the domain controller organizational unit.
  2. In Group Policy Object Editor, locate the following node:
    Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options
  3. Open the following policy setting:
    Network access: Allow anonymous SID/Name translation
  4. Change this policy setting to Disabled.
  5. Reapply the policy settings to all domain controllers. To do this, type the following command at a command prompt on each domain controller:
    Gpupdate /force
STATUS
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.
MORE INFORMATION
If the Network access: Allow anonymous SID/Name translation setting is disabled, earlier operating systems or applications may be unable to communicate with Windows Server 2003 domains. For more information, click the following article number to view the article in the Microsoft Knowledge Base:
823659 Client, service, and program incompatibilities that may occur when you modify security settings and user rights assignments
LSAAnonymousNameLookup
Properties

Article ID: 942428 - Last Review: 01/16/2015 02:10:39 - Revision: 1.2

  • Microsoft Windows Server 2003, Standard Edition (32-bit x86)
  • Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
  • Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
  • Microsoft Windows Server 2003, Standard x64 Edition
  • Microsoft Windows Server 2003, Enterprise x64 Edition
  • Microsoft Windows Server 2003, Datacenter x64 Edition
  • Microsoft Windows Server 2003, Enterprise Edition for Itanium-based Systems
  • Microsoft Windows Server 2003, Datacenter Edition for Itanium-Based Systems
  • kbnosurvey kbarchive kbtshoot kbexpertiseinter kbprb KB942428
Feedback