Cheers Tony, M$ should fix their baseline security analyser as well then J From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of Anthony_Baldwin@xxxxxxxxx Sent: 13 July 2007 14:29 To: thin@xxxxxxxxxxxxx Subject: [THIN] Re: Question on RemoteAnonymous Andrew, According to <http://technet2.microsoft.com/windowsserver/en/library/6361e9c2-73ad-49c3-a 012-6d09cebd31611033.mspx?mfr=true> http://technet2.microsoft.com/windowsserver/en/library/6361e9c2-73ad-49c3-a0 12-6d09cebd31611033.mspx?mfr=true The restrictanonymous = 2 setting is not supported in 2003. And you should use the EveryoneIncludesAnonymous setting to control anonymous access to 'other securable objects'. Tony "Andrew Wood" <andrew.wood@xxxxxxxxxxxxxxxx> Sent by: thin-bounce@xxxxxxxxxxxxx 07/12/2007 11:33 AM Please respond to thin@xxxxxxxxxxxxx To <thin@xxxxxxxxxxxxx> cc Subject [THIN] Re: Question on RemoteAnonymous Of course, that should all have said 'restrictanonymous' - but you get the jist From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of Andrew Wood Sent: 12 July 2007 16:30 To: thin@xxxxxxxxxxxxx Subject: [THIN] Question on RemoteAnonymous Hi, I've been tasked with disable Null Netbios sessions, not a particular problem, set HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa to dword 2 However, while this *was* possible as a Group Policy in W2k, in W2k3 we have Computer Configuration==>Windows Settings==>Security Settings==>Local Policies==>Security Options Network access: Do not allow anonymous enumeration of SAM accounts and shares Possible settings for this policy are only.. Enabled and Disabed This policy also corresponds to the registry entry, HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa = 1 or 0. :? So.. Is it that I have to mess about creating a new policy template, or has someone got one already? Tia. Andrew Gilwood CS Ltd Registered Office : 197 Leechmere Road, Sunderland, UK, SR2 9DL. No. 6099397 England