[THIN] Re: RestrictAnnoymous Registry Setting
- From: "Berny Stapleton" <berny.stapleton@xxxxxxxxxx>
- To: <thin@xxxxxxxxxxxxx>
- Date: Tue, 24 Jan 2006 17:34:44 -0000
We have it on all of our servers, Metaframe XP FR3 / SP4 and Win2k SP4.
It does cause issues in some instances, the most common problem we have
is that you do require WinXP with SP2 to do password changes when the
password has expired.
Berny
_____
From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On
Behalf Of Keith Sirmons
Sent: 24 January 2006 16:52
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Re: RestrictAnnoymous Registry Setting
Thank you for your help. I will give this a test and see if it breaks
anything.
Keith
Keith Sirmons
Microcomputer/LAN Administrator
College of Veterinary Medicine
>>> mythinlist@xxxxxxxxx 1/24/2006 10:36:18 AM >>>
i agree with jeff. the restrictanonymous setting disables the ability of
a foreign pc/source from pulling information from you server without
authenticating. there are apps that may depend on some of this
information. jeff is correct in suggesting that you test until you pass
out and then have your PFY take over and test some more. You may want to
try the 2 setting but I don't know what affect that will have on citrix.
I've never been inclined to find out.
Jeff Pitsch wrote:
> As always when making a change (especially this one), test TEst TEST!
> This is a setting that can break some software. Do not put this into
> a production environment until you have tested it thoroughly with all
> your applications.
>
> Jeff Pitsch
>
>
> On 1/24/06, *Keith Sirmons* <KSirmons@xxxxxxxxxxxx
> <mailto:KSirmons@xxxxxxxxxxxx>> wrote:
>
> Howdy,
>
> I have Metaframe XP running on a windows 2000 server.
>
> After running the Microsoft Baseline Security Analyzer from a MOM
> Server against the machine, I am getting an error about the
> RestrictAnonymous registry setting being 0 instead of 2.
>
> Do you know if this needs to be set to 0 for Citrix, or can I
> change it to 2 with out breaking Citrix?
>
> Thank you,
> Keith
>
>
>
> MOM Online
>
<http://support.microsoft.com/default.aspx?scid=mk;en-US;a33abf4cba6744d
5ad72bd574147304b>
> Management Pack
> Summary
>
> The *RestrictAnonymous* registry setting controls the level of
> enumeration granted to an Anonymous user.
>
> Anonymous users can use a variety of information about your system
> in an attack on your system. For example, the list of user names
> and share names could help potential attackers identify who is an
> Administrator, which computers have weak account protection, and
> which computers share information with the network.
>
>
> Causes
>
> If *RestrictAnonymous* is set to *0* (the default setting), any
> user can obtain system information, including user names and
> details, account policies, and share names. Anonymous users can
> use this information in an attack on your system.
>
>
> Resolutions
>
> To restrict anonymous connections from accessing system
> information, change the *RestrictAnonymous* security settings. You
> can do this through the Security Configuration Manager snap-in.
> (The setting is defined in Local Policies in the default security
> templates.) or through the registry editor. In
> Microsoft(r) Windows(r) NT(r) Server 4.0, you should change the
> registry setting from *0* to *1* . in Windows(r) 2000 Server, you
> should change it from *0* to *1* or *2*.
>
> 0 - None. Rely on default permissions.
>
> 1 - Do not allow enumeration of Security Accounts Manager (SAM)
> accounts and names.
>
> 2 - No access without explicit anonymous permissions. (Not
> available on Windows NT 4.0 Server.)
>
> *Caution*
>
> *
>
> *
>
>
> *We recommend that you do not set this value to *2* on domain
> controllers or computers running Small Business Server (SBS) in
> mixed-mode environments (for example, networks running older
> versions of Windows). In addition, client machines with
> *RestrictAnonymous* set to *2* should not take on the role of
> master browser. For more details on configuring *RestrictAnonymous
> *on domain controllers and in Windows(r) 2000 environments, and to
> better understand potential compatibility issues when using this
> setting, refer to the Microsoft Knowledge Base articles that are
> listed later in this document.
>
> *Note*
>
> *
>
> *
>
>
> *In Windows(r) XP, there is a new *EveryoneIncludesAnonymous
> *registry setting that controls whether permissions given to the
> built-in Everyone group apply to Anonymous users. By default,
> permissions granted to the Everyone group do not apply to
> Anonymous users in Windows(r) XP. This provides the same level of
> Anonymous user restrictions as the *RestrictAnonymous* setting in
> previous Windows operating systems. The
> *EveryoneIncludesAnonymous* setting can be configured through the
> Security Configuration Manager (SCM) snap-in on computers running
> Windows(r) XP Professional or through a registry editor. (In SCM,
> the setting is defined in the Local Policies portion of the
> security template.) This setting is located in the same registry
> key as *RestrictAnonymous*.
>
> External Knowledge Sources
>
> For more information about managing the RestrictAnonymous setting,
> see:
>
> * "Restricting Information Available to Anonymous Logon Users
> (143474) (Windows NT 4.0)" at
> http://go.microsoft.com/fwlink/?LinkID=16955 on the
> Microsoft Web site.
> * "How to Use the RestrictAnonymous Registry Value in
> Windows 2000" at
> http://go.microsoft.com/fwlink/?LinkID=16956
> <http://go.microsoft.com/fwlink/?LinkID=16956> on the
> Microsoft Web site.
>
>
> Sample Event
>
> None
>
>
> Related Events
>
> None
>
>
> Other Information
>
> None
>
>
>
> (c) 2000-2004 Microsoft Corporation, all rights reserved.
>
>
> Keith Sirmons
> Microcomputer/LAN Administrator
> College of Veterinary Medicine
>
>
>
************************************************
For Archives, RSS, to Unsubscribe, Subscribe or
set Digest or Vacation mode use the below link:
//www.freelists.org/list/thin
************************************************
________________________________________________________________________
This e-mail has been scanned for all viruses by Star. The
service is powered by MessageLabs. For more information on a proactive
anti-virus service working around the clock, around the globe, visit:
http://www.star.net.uk
________________________________________________________________________
______________________________________________________________________
The contents of this transmission are confidential. If you are not the
named addressee or if it has been addressed to you in error, please
notify the sender immediately and then delete this message.
Any unauthorised copying and transmission is forbidden. Electronic
transmissions cannot be guaranteed to be secure. If verification is
required, please contact the sender.
______________________________________________________________________
Other related posts:
