Howdy,
I have Metaframe XP running on a windows 2000 server.
After running the Microsoft Baseline Security Analyzer from a MOM
Server against the machine, I am getting an error about the
RestrictAnonymous registry setting being 0 instead of 2.
Do you know if this needs to be set to 0 for Citrix, or can I change
it to 2 with out breaking Citrix?
Thank you,
Keith
MOM Online
<http://support.microsoft.com/default.aspx?scid=mk;en-US;a33abf4cba6744d5ad72bd574147304b>
Management Pack
Summary
The *RestrictAnonymous* registry setting controls the level of
enumeration granted to an Anonymous user.
Anonymous users can use a variety of information about your system in
an attack on your system. For example, the list of user names and
share names could help potential attackers identify who is an
Administrator, which computers have weak account protection, and which
computers share information with the network.
Causes
If *RestrictAnonymous* is set to *0* (the default setting), any user
can obtain system information, including user names and details,
account policies, and share names. Anonymous users can use this
information in an attack on your system.
Resolutions
To restrict anonymous connections from accessing system information,
change the *RestrictAnonymous* security settings. You can do this
through the Security Configuration Manager snap-in. (The setting is
defined in Local Policies in the default security templates.) or
through the registry editor. In Microsoft® Windows® NT® Server 4.0,
you should change the registry setting from *0* to *1* . in Windows®
2000 Server, you should change it from *0* to *1* or *2*.
0 - None. Rely on default permissions.
1 - Do not allow enumeration of Security Accounts Manager (SAM)
accounts and names.
2 - No access without explicit anonymous permissions. (Not available
on Windows NT 4.0 Server.)
*Caution*
**
* We recommend that you do not set this value to *2* on domain
controllers or computers running Small Business Server (SBS) in
mixed-mode environments (for example, networks running older
versions of Windows). In addition, client machines with
*RestrictAnonymous* set to *2* should not take on the role of
master browser. For more details on configuring
*RestrictAnonymous *on domain controllers and in Windows® 2000
environments, and to better understand potential compatibility
issues when using this setting, refer to the Microsoft Knowledge
Base articles that are listed later in this document.
*Note*
**
* In Windows® XP, there is a new *EveryoneIncludesAnonymous
*registry setting that controls whether permissions given to the
built-in Everyone group apply to Anonymous users. By default,
permissions granted to the Everyone group do not apply to
Anonymous users in Windows® XP. This provides the same level of
Anonymous user restrictions as the *RestrictAnonymous* setting
in previous Windows operating systems. The
*EveryoneIncludesAnonymous* setting can be configured through
the Security Configuration Manager (SCM) snap-in on computers
running Windows® XP Professional or through a registry editor.
(In SCM, the setting is defined in the Local Policies portion of
the security template.) This setting is located in the same
registry key as *RestrictAnonymous*.
External Knowledge Sources
For more information about managing the RestrictAnonymous setting, see:
* “Restricting Information Available to Anonymous Logon Users
(143474) (Windows NT 4.0)” at
http://go.microsoft.com/fwlink/?LinkID=16955 on the Microsoft
Web site.
* “How to Use the RestrictAnonymous Registry Value in Windows
2000” at http://go.microsoft.com/fwlink/?LinkID=16956 on the
Microsoft Web site.
Sample Event
None
Related Events
None
Other Information
None
© 2000-2004 Microsoft Corporation, all rights reserved.
Keith Sirmons
Microcomputer/LAN Administrator
College of Veterinary Medicine
