Restrict Anonymous check

Applies To: Forefront Client Security

The Restrict Anonymous SSA check determines whether the RestrictAnonymous registry setting is used to restrict anonymous connections on the scanned computer. The registry setting is at the following location:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\RestrictAnonymous

Anonymous users can list certain types of system information, including user names and details, account policies, and share names. The list of user names and share names could help potential attackers learn compromising information, such as:

  • Who is an administrator.

  • Which computers have weak account protection.

  • Which computers share information with the network.

Users who want enhanced security can restrict this function so that anonymous users cannot access this information.

The RestrictAnonymous registry setting controls the level of enumeration that is granted to an anonymous user. RestrictAnonymous can be set to any of the following values:

  • 0—None. Rely on default permissions.

  • 1—Do not allow enumeration of Security Accounts Manager accounts and names.

  • 2—No access without explicit anonymous permissions.

It is not recommended that you set RestrictAnonymous to 2 on domain controllers or on computers running Microsoft Windows Small Business Server 2003 (Windows SBS) server software unless they are in pure Windows 2000 Server environments and have been tested for application compatibility. In addition, client computers with RestrictAnonymous set to 2 should not take on the role of master browser.

In Windows XP, the EveryoneIncludesAnonymous registry setting controls whether permissions given to the built-in Everyone group apply to anonymous users. By default, permissions granted to the Everyone group do not apply to anonymous users in Windows XP, which therefore provides the same level of anonymous user restrictions as the RestrictAnonymous setting in previous Windows operating systems.

Resolutions for potentially unacceptable scores

Review the results message associated with the score.

It is recommended that you restrict anonymous access.

Scoring and results

Because of the existence of the EveryoneIncludesAnonymous registry setting in Windows XP, scoring for Windows XP and newer operating systems differs from scoring for Windows 2000 Server operating systems.

Scoring and results for Windows Vista and Windows XP

The following table shows how Client Security determines the score resulting from performing this check on computers running the Windows Vista™ or Windows XP operating system. It also shows the results message that appears in related reports. You can use the results message for each score to determine the recommended resolution.

Score Everyone group includes anonymous users Restrict‌Anonymous setting Results message

High

Yes

0

This computer is running with RestrictAnonymous = 0. This level allows basic enumeration of user accounts, account policies, and system information. Set RestrictAnonymous = 2 to ensure maximum security.

  

Yes

Doesn't exist

The RestrictAnonymous key is not set in your registry. This key should be present and set to a value greater than 0.

  

Yes

Not 0, 1, or 2

Invalid values were detected for some anonymous access settings on this computer. The current setting on this computer is: RestrictAnonymous = Value.

Medium

Yes

1

This computer is running with RestrictAnonymous = 1. This level prevents basic enumeration of user accounts, account policies, and system information. Set RestrictAnonymous = 2 to ensure maximum security.

Low

Yes

2

This computer is properly restricting anonymous access.

  

No

Any setting

This computer is properly restricting anonymous access.

Scoring and results for Windows 2000 Server

The following table shows how Client Security determines the score resulting from performing this check on a computer running Windows 2000 Server. It also shows the results message that appears in related reports. You can use the results message for each score to determine the recommended resolution.

Score RestrictAnonymous setting RestrictAnonymous setting is missing Results message

High

0

No

This computer is running with RestrictAnonymous = 0. This level allows basic enumeration of user accounts, account policies, and system information. Set RestrictAnonymous = 2 to ensure maximum security.

  

Not applicable

Yes

The RestrictAnonymous key is not set in your registry. This key should be present and set to a value greater than 0.

  

Not 0, 1, or 2

No

Invalid values were detected for some anonymous access settings on this computer. The current setting on this computer is: RestrictAnonymous = Value.

Medium

1

No

This computer is running with RestrictAnonymous = 1. This level prevents basic enumeration of user accounts, account policies, and system information. Set RestrictAnonymous = 2 to ensure maximum security.

Low

2

No

This computer is properly restricting anonymous access.

Other Resources

How to use the RestrictAnonymous registry value in Windows 2000
Everyone Group Does Not Include Anonymous Security Identifier