you should be able to change that to 1 with no issues.
Keith Sirmons wrote:
Howdy,
I have Metaframe XP running on a windows 2000 server.
After running the Microsoft Baseline Security Analyzer from a MOM Server against the machine, I am getting an error about the RestrictAnonymous registry setting being 0 instead of 2.
Do you know if this needs to be set to 0 for Citrix, or can I change it to 2 with out breaking Citrix?
Thank you,
Keith
MOM Online <http://support.microsoft.com/default.aspx?scid=mk;en-US;a33abf4cba6744d5ad72bd574147304b>
Management Pack
Summary
The *RestrictAnonymous* registry setting controls the level of enumeration granted to an Anonymous user.
Anonymous users can use a variety of information about your system in an attack on your system. For example, the list of user names and share names could help potential attackers identify who is an Administrator, which computers have weak account protection, and which computers share information with the network.
Causes
If *RestrictAnonymous* is set to *0* (the default setting), any user can obtain system information, including user names and details, account policies, and share names. Anonymous users can use this information in an attack on your system.
Resolutions
To restrict anonymous connections from accessing system information, change the *RestrictAnonymous* security settings. You can do this through the Security Configuration Manager snap-in. (The setting is defined in Local Policies in the default security templates.) or through the registry editor. In Microsoft® Windows® NT® Server 4.0, you should change the registry setting from *0* to *1* . in Windows® 2000 Server, you should change it from *0* to *1* or *2*.
0 - None. Rely on default permissions.
1 - Do not allow enumeration of Security Accounts Manager (SAM) accounts and names.
2 - No access without explicit anonymous permissions. (Not available on Windows NT 4.0 Server.)
*Caution*
**
* We recommend that you do not set this value to *2* on domain controllers or computers running Small Business Server (SBS) in mixed-mode environments (for example, networks running older versions of Windows). In addition, client machines with *RestrictAnonymous* set to *2* should not take on the role of master browser. For more details on configuring *RestrictAnonymous *on domain controllers and in Windows® 2000 environments, and to better understand potential compatibility issues when using this setting, refer to the Microsoft Knowledge Base articles that are listed later in this document.
*Note*
**
* In Windows® XP, there is a new *EveryoneIncludesAnonymous *registry setting that controls whether permissions given to the built-in Everyone group apply to Anonymous users. By default, permissions granted to the Everyone group do not apply to Anonymous users in Windows® XP. This provides the same level of Anonymous user restrictions as the *RestrictAnonymous* setting in previous Windows operating systems. The *EveryoneIncludesAnonymous* setting can be configured through the Security Configuration Manager (SCM) snap-in on computers running Windows® XP Professional or through a registry editor. (In SCM, the setting is defined in the Local Policies portion of the security template.) This setting is located in the same registry key as *RestrictAnonymous*.
External Knowledge Sources
For more information about managing the RestrictAnonymous setting, see:
* “Restricting Information Available to Anonymous Logon Users (143474) (Windows NT 4.0)” at http://go.microsoft.com/fwlink/?LinkID=16955 on the Microsoft Web site. * “How to Use the RestrictAnonymous Registry Value in Windows 2000” at http://go.microsoft.com/fwlink/?LinkID=16956 on the Microsoft Web site.
Sample Event
None
Related Events
None
Other Information
None
© 2000-2004 Microsoft Corporation, all rights reserved.
Keith Sirmons Microcomputer/LAN Administrator College of Veterinary Medicine