As always when making a change (especially this one), test TEst TEST! This is a setting that can break some software. Do not put this into a production environment until you have tested it thoroughly with all your applications. Jeff Pitsch On 1/24/06, Keith Sirmons <KSirmons@xxxxxxxxxxxx> wrote: > > Howdy, > > I have Metaframe XP running on a windows 2000 server. > > After running the Microsoft Baseline Security Analyzer from a MOM Server > against the machine, I am getting an error about the RestrictAnonymous > registry setting being 0 instead of 2. > > Do you know if this needs to be set to 0 for Citrix, or can I change it to > 2 with out breaking Citrix? > > Thank you, > Keith > > > > MOM > Online<http://support.microsoft.com/default.aspx?scid=mk;en-US;a33abf4cba6744d5ad72bd574147304b> > Management Pack Summary > > The *RestrictAnonymous* registry setting controls the level of enumeration > granted to an Anonymous user. > > Anonymous users can use a variety of information about your system in an > attack on your system. For example, the list of user names and share names > could help potential attackers identify who is an Administrator, which > computers have weak account protection, and which computers share > information with the network. > Causes > > If *RestrictAnonymous* is set to *0* (the default setting), any user can > obtain system information, including user names and details, account > policies, and share names. Anonymous users can use this information in an > attack on your system. > Resolutions > > To restrict anonymous connections from accessing system information, > change the *RestrictAnonymous* security settings. You can do this through > the Security Configuration Manager snap-in. (The setting is defined in Local > Policies in the default security templates.) or through the registry editor. > In Microsoft(r) Windows(r) NT(r) Server 4.0, you should change the registry > setting from *0* to *1* . in Windows(r) 2000 Server, you should change it > from *0* to *1* or *2*. > > 0 - None. Rely on default permissions. > > 1 - Do not allow enumeration of Security Accounts Manager (SAM) accounts > and names. > > 2 - No access without explicit anonymous permissions. (Not available on > Windows NT 4.0 Server.) > > *Caution* > * > > - > > *We recommend that you do not set this value to *2* on domain controllers > or computers running Small Business Server (SBS) in mixed-mode environments > (for example, networks running older versions of Windows). In addition, > client machines with *RestrictAnonymous* set to *2* should not take on the > role of master browser. For more details on configuring *RestrictAnonymous > *on domain controllers and in Windows(r) 2000 environments, and to better > understand potential compatibility issues when using this setting, refer to > the Microsoft Knowledge Base articles that are listed later in this > document. > > *Note* > * > > - > > *In Windows(r) XP, there is a new *EveryoneIncludesAnonymous *registry > setting that controls whether permissions given to the built-in Everyone > group apply to Anonymous users. By default, permissions granted to the > Everyone group do not apply to Anonymous users in Windows(r) XP. This provides > the same level of Anonymous user restrictions as the > *RestrictAnonymous*setting in previous Windows operating systems. The > *EveryoneIncludesAnonymous* setting can be configured through the Security > Configuration Manager (SCM) snap-in on computers running Windows(r) XP > Professional or through a registry editor. (In SCM, the setting is defined > in the Local Policies portion of the security template.) This setting is > located in the same registry key as *RestrictAnonymous*. > External Knowledge Sources > > For more information about managing the RestrictAnonymous setting, see: > > - "Restricting Information Available to Anonymous Logon Users > (143474) (Windows NT 4.0)" at > http://go.microsoft.com/fwlink/?LinkID=16955 on the Microsoft Web > site. > - "How to Use the RestrictAnonymous Registry Value in Windows 2000" > at http://go.microsoft.com/fwlink/?LinkID=16956 on the Microsoft Web > site. > > Sample Event > > None > Related Events > > None > Other Information > > None > (c) 2000-2004 Microsoft Corporation, all rights reserved. > > Keith Sirmons > Microcomputer/LAN Administrator > College of Veterinary Medicine > >