[THIN] Re: RestrictAnnoymous Registry Setting
- From: Jeff Pitsch <jepitsch@xxxxxxxxx>
- To: thin@xxxxxxxxxxxxx
- Date: Tue, 24 Jan 2006 10:27:20 -0600
As always when making a change (especially this one), test TEst TEST! This
is a setting that can break some software. Do not put this into a
production environment until you have tested it thoroughly with all your
applications.
Jeff Pitsch
On 1/24/06, Keith Sirmons <KSirmons@xxxxxxxxxxxx> wrote:
>
> Howdy,
>
> I have Metaframe XP running on a windows 2000 server.
>
> After running the Microsoft Baseline Security Analyzer from a MOM Server
> against the machine, I am getting an error about the RestrictAnonymous
> registry setting being 0 instead of 2.
>
> Do you know if this needs to be set to 0 for Citrix, or can I change it to
> 2 with out breaking Citrix?
>
> Thank you,
> Keith
>
>
>
> MOM
> Online<http://support.microsoft.com/default.aspx?scid=mk;en-US;a33abf4cba6744d5ad72bd574147304b>
> Management Pack Summary
>
> The *RestrictAnonymous* registry setting controls the level of enumeration
> granted to an Anonymous user.
>
> Anonymous users can use a variety of information about your system in an
> attack on your system. For example, the list of user names and share names
> could help potential attackers identify who is an Administrator, which
> computers have weak account protection, and which computers share
> information with the network.
> Causes
>
> If *RestrictAnonymous* is set to *0* (the default setting), any user can
> obtain system information, including user names and details, account
> policies, and share names. Anonymous users can use this information in an
> attack on your system.
> Resolutions
>
> To restrict anonymous connections from accessing system information,
> change the *RestrictAnonymous* security settings. You can do this through
> the Security Configuration Manager snap-in. (The setting is defined in Local
> Policies in the default security templates.) or through the registry editor.
> In Microsoft(r) Windows(r) NT(r) Server 4.0, you should change the registry
> setting from *0* to *1* . in Windows(r) 2000 Server, you should change it
> from *0* to *1* or *2*.
>
> 0 - None. Rely on default permissions.
>
> 1 - Do not allow enumeration of Security Accounts Manager (SAM) accounts
> and names.
>
> 2 - No access without explicit anonymous permissions. (Not available on
> Windows NT 4.0 Server.)
>
> *Caution*
> *
>
> -
>
> *We recommend that you do not set this value to *2* on domain controllers
> or computers running Small Business Server (SBS) in mixed-mode environments
> (for example, networks running older versions of Windows). In addition,
> client machines with *RestrictAnonymous* set to *2* should not take on the
> role of master browser. For more details on configuring *RestrictAnonymous
> *on domain controllers and in Windows(r) 2000 environments, and to better
> understand potential compatibility issues when using this setting, refer to
> the Microsoft Knowledge Base articles that are listed later in this
> document.
>
> *Note*
> *
>
> -
>
> *In Windows(r) XP, there is a new *EveryoneIncludesAnonymous *registry
> setting that controls whether permissions given to the built-in Everyone
> group apply to Anonymous users. By default, permissions granted to the
> Everyone group do not apply to Anonymous users in Windows(r) XP. This provides
> the same level of Anonymous user restrictions as the
> *RestrictAnonymous*setting in previous Windows operating systems. The
> *EveryoneIncludesAnonymous* setting can be configured through the Security
> Configuration Manager (SCM) snap-in on computers running Windows(r) XP
> Professional or through a registry editor. (In SCM, the setting is defined
> in the Local Policies portion of the security template.) This setting is
> located in the same registry key as *RestrictAnonymous*.
> External Knowledge Sources
>
> For more information about managing the RestrictAnonymous setting, see:
>
> - "Restricting Information Available to Anonymous Logon Users
> (143474) (Windows NT 4.0)" at
> http://go.microsoft.com/fwlink/?LinkID=16955 on the Microsoft Web
> site.
> - "How to Use the RestrictAnonymous Registry Value in Windows 2000"
> at http://go.microsoft.com/fwlink/?LinkID=16956 on the Microsoft Web
> site.
>
> Sample Event
>
> None
> Related Events
>
> None
> Other Information
>
> None
> (c) 2000-2004 Microsoft Corporation, all rights reserved.
>
> Keith Sirmons
> Microcomputer/LAN Administrator
> College of Veterinary Medicine
>
>
Other related posts:
