The RestrictAnonymous registry setting controls the level of enumeration granted to an Anonymous user.
Anonymous users can use a variety of information about your system in an attack on your system. For example, the list of user names and share names could help potential attackers identify who is an Administrator, which computers have weak account protection, and which computers share information with the network.
If RestrictAnonymous is set to 0 (the default setting), any user can obtain system information, including user names and details, account policies, and share names. Anonymous users can use this information in an attack on your system.
To restrict anonymous connections from accessing system information, change the RestrictAnonymous security settings. You can do this through the Security Configuration Manager snap-in. (The setting is defined in Local Policies in the default security templates.) or through the registry editor. In Microsoft® Windows® NT® Server 4.0, you should change the registry setting from 0 to 1 . in Windows® 2000 Server, you should change it from 0 to 1 or 2.
0 - None. Rely on default permissions.
1 - Do not allow enumeration of Security Accounts Manager (SAM) accounts and names.
2 - No access without explicit anonymous permissions. (Not available on Windows NT 4.0 Server.)
We recommend that you do not set this value to 2
on domain controllers or computers running Small Business Server (SBS) in mixed-mode environments (for example, networks running older versions of Windows). In addition, client machines with RestrictAnonymous
set to 2
should not take on the role of master browser. For more details on configuring RestrictAnonymous
on domain controllers and in Windows® 2000 environments, and to better understand potential compatibility issues when using this setting, refer to the Microsoft Knowledge Base articles that are listed later in this document.
In Windows® XP, there is a new EveryoneIncludesAnonymous
registry setting that controls whether permissions given to the built-in Everyone group apply to Anonymous users. By default, permissions granted to the Everyone group do not apply to Anonymous users in Windows® XP. This provides the same level of Anonymous user restrictions as the RestrictAnonymous
setting in previous Windows operating systems. The EveryoneIncludesAnonymous
setting can be configured through the Security Configuration Manager (SCM) snap-in on computers running Windows® XP Professional or through a registry editor. (In SCM, the setting is defined in the Local Policies portion of the security template.) This setting is located in the same registry key as RestrictAnonymous
For more information about managing the RestrictAnonymous setting, see:
Article ID: A33ABF4CBA6744D5AD72BD574147304B - Last Review: November 10, 2004 - Revision: 1.0
|MOM Management Pack Knowledge|