i agree with jeff. the restrictanonymous setting disables the ability of
a foreign pc/source from pulling information from you server without
authenticating. there are apps that may depend on some of this
information. jeff is correct in suggesting that you test until you pass
out and then have your PFY take over and test some more. You may want to
try the 2 setting but I don't know what affect that will have on citrix.
I've never been inclined to find out.
Jeff Pitsch wrote:
As always when making a change (especially this one), test TEst TEST! This is a setting that can break some software. Do not put this into a production environment until you have tested it thoroughly with all your applications.************************************************
Jeff Pitsch
On 1/24/06, *Keith Sirmons* <KSirmons@xxxxxxxxxxxx <mailto:KSirmons@xxxxxxxxxxxx>> wrote:
Howdy,
I have Metaframe XP running on a windows 2000 server. After running the Microsoft Baseline Security Analyzer from a MOM
Server against the machine, I am getting an error about the
RestrictAnonymous registry setting being 0 instead of 2. Do you know if this needs to be set to 0 for Citrix, or can I
change it to 2 with out breaking Citrix?
Thank you,
Keith
MOM Online
<http://support.microsoft.com/default.aspx?scid=mk;en-US;a33abf4cba6744d5ad72bd574147304b>
Management Pack
Summary
The *RestrictAnonymous* registry setting controls the level of enumeration granted to an Anonymous user.
Anonymous users can use a variety of information about your system in an attack on your system. For example, the list of user names and share names could help potential attackers identify who is an Administrator, which computers have weak account protection, and which computers share information with the network.
Causes
If *RestrictAnonymous* is set to *0* (the default setting), any user can obtain system information, including user names and details, account policies, and share names. Anonymous users can use this information in an attack on your system.
Resolutions
To restrict anonymous connections from accessing system information, change the *RestrictAnonymous* security settings. You can do this through the Security Configuration Manager snap-in. (The setting is defined in Local Policies in the default security templates.) or through the registry editor. In Microsoft® Windows® NT® Server 4.0, you should change the registry setting from *0* to *1* . in Windows® 2000 Server, you should change it from *0* to *1* or *2*.
0 - None. Rely on default permissions.
1 - Do not allow enumeration of Security Accounts Manager (SAM) accounts and names.
2 - No access without explicit anonymous permissions. (Not available on Windows NT 4.0 Server.)
*Caution*
*
*
*We recommend that you do not set this value to *2* on domain controllers or computers running Small Business Server (SBS) in mixed-mode environments (for example, networks running older versions of Windows). In addition, client machines with *RestrictAnonymous* set to *2* should not take on the role of master browser. For more details on configuring *RestrictAnonymous *on domain controllers and in Windows® 2000 environments, and to better understand potential compatibility issues when using this setting, refer to the Microsoft Knowledge Base articles that are listed later in this document.
*Note*
*
*
*In Windows® XP, there is a new *EveryoneIncludesAnonymous
*registry setting that controls whether permissions given to the
built-in Everyone group apply to Anonymous users. By default,
permissions granted to the Everyone group do not apply to
Anonymous users in Windows® XP. This provides the same level of
Anonymous user restrictions as the *RestrictAnonymous* setting in
previous Windows operating systems. The
*EveryoneIncludesAnonymous* setting can be configured through the
Security Configuration Manager (SCM) snap-in on computers running
Windows® XP Professional or through a registry editor. (In SCM,
the setting is defined in the Local Policies portion of the
security template.) This setting is located in the same registry
key as *RestrictAnonymous*.
External Knowledge Sources
For more information about managing the RestrictAnonymous setting, see:
* "Restricting Information Available to Anonymous Logon Users (143474) (Windows NT 4.0)" at http://go.microsoft.com/fwlink/?LinkID=16955 on the Microsoft Web site. * "How to Use the RestrictAnonymous Registry Value in Windows 2000" at http://go.microsoft.com/fwlink/?LinkID=16956 <http://go.microsoft.com/fwlink/?LinkID=16956> on the Microsoft Web site.
Sample Event
None
Related Events
None
Other Information
None
© 2000-2004 Microsoft Corporation, all rights reserved.
Keith Sirmons
Microcomputer/LAN Administrator
College of Veterinary Medicine