There are similar situations where obtaining account names using an anonymous connection allows the user interface tools, including Windows NT Explorer, User Manager, and ACL editor, to administer and manage access control information across multiple Windows NT domains. Another example is using User Manager in the resource domain to add users from the trusted account domain to a local group. One way to add the account domain user to a local group in the resource domain is to manually enter a known domain\username to add access without getting the complete list of names from the account domain. Another approach is to logon to the system in the resource domain using an account in the trusted account domain.
Windows NT environments that want to restrict anonymous connections from listing account names can control this operation after installing Windows NT 4.0 Service Pack 3 or the Windows NT 3.51 hotfix.
After installation of Windows NT 4.0 Service Pack 3 or the Windows NT 3.51 hotfix, administrators who want to require only authenticated users to list account names, and exclude anonymous connections from doing so, need to make the following change to the registry:
WARNING: Using Registry Editor incorrectly can cause serious, system-wide problems that may require you to reinstall Windows NT to correct them. Microsoft cannot guarantee that any problems resulting from the use of Registry Editor can be solved. Use this tool at your own risk.
- Run Registry Editor (Regedt32.exe).
- Go to the following key in the registry:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA
- On the Edit menu, click Add Value and use the following entry:Value Name: RestrictAnonymous
Data Type: REG_DWORD
- Exit the Registry Editor and restart the computer for the change to take effect.
Note Remote access to the registry may still be possible after you follow the steps in this article if the RestrictNullSessAccess registry value has been created and is set to 0. This value allows remote access to the registry by using a null session. The value overrides other explicit restrictive settings.
The purpose of the registry value is to configure local system policy for whether authentication is required to perform common enumeration functions. Requiring authentication to obtain the account name list is an optional feature. When the RestrictAnonymous value is set to 1, anonymous connections from the Graphical User Interface tools for security management will receive an access denied error when attempting to get the list of account names. When the RestrictAnonymous value is set to 0, or the value is not defined, anonymous connections will be able to list account names and enumerate share names. It should be noted that even with the value of RestrictAnonymous set to 1, although the user interface tools with the system will not list account names, there are Win32 programming interfaces to support individual name lookup that do not restrict anonymous connections.
Windows NT networks using a multiple domain model can restrict anonymous connections without loss of functionality. The initial steps in planning to disable anonymous connections is for administrators in resource domains to add members of trusted account domains to specific local groups as needed before changing the value for the LSA RestrictAnonymous registry entry. Users logged on using accounts from trusted account domains will continue to use authenticated connections to obtain list of account names to manage security access control.
Restricting Anonymous List of Share NamesThe Server service that provides remote file access to share resources will also use the LSA registry value, RestrictAnonymous, to control whether anonymous connections can obtain a list of share names. Therefore, administrators can set the value of a single registry configuration entry to define how the system responds to enumeration requests by anonymous logons.
Restricting Anonymous Remote Registry AccessInstallation of Windows NT 4.0 Service Pack 3 or the Windows NT 3.51 hotfix removes the ability for anonymous users to connect to the registry remotely. Anonymous users cannot connect to the registry and cannot read or write any registry data. As a reminder, Windows NT 4.0 restricts remote access to the registry by domain users using the access control list on the registry key:
For additional information on the winreg key, click the article number below to view the article in the Microsoft Knowledge Base:
Authenticated Users Built-in GroupA new built-in group is created when installing Windows NT 4.0 Service Pack 3 or the Windows NT 3.51 hotfix known as "Authenticated Users." The Authenticated Users group is similar to the "Everyone" group, except for one important difference: anonymous logon users (or NULL session connections) are never members of the Authenticated Users group. The built-in Security Identifier for Authenticated Users is S-1-5-11. Authenticated network connections from any account in the server's Windows NT domain, or any domain trusted by the server's domain, is identified as an Authenticated User. The Authenticated Users group is available for granting access rights to resources in the security ACL editor. Windows NT 4.0 Service Pack 3 and the Windows NT 3.51 hotfix do not modify any access control lists to change access rights granted to Everyone to use Authenticated Users.
Windows NT 3.51 HotfixThe Windows NT 3.51 hotfix has been posted to the following Internet location:
ID do Artigo: 143474 - Última Revisão: 27/03/2007 - Revisão: 1