[THIN] Re: RestrictAnnoymous Registry Setting
- From: "Berny Stapleton" <berny.stapleton@xxxxxxxxxx>
- To: <thin@xxxxxxxxxxxxx>
- Date: Wed, 25 Jan 2006 09:37:17 -0000
You can't do password changes with SP1. It gives you access denied
messages.
There is also a min requirement for Win2k, but I am not 100% sure what
it is as we don't run Win2k on the workstations.
Berny
_____
From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On
Behalf Of Joe Shonk
Sent: 24 January 2006 20:55
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Re: RestrictAnnoymous Registry Setting
Imagine that... Having to change your password when it expires... Did
I miss something? Sorry, not trying to be mean or anything.
On 1/24/06, Berny Stapleton <berny.stapleton@xxxxxxxxxx> wrote:
Oh and it's set to 2.
Berny
_____
From: Berny Stapleton
Sent: 24 January 2006 17:37
To: 'thin@xxxxxxxxxxxxx'
Subject: RE: [THIN] Re: RestrictAnnoymous Registry Setting
We have it on all of our servers, Metaframe XP FR3 / SP4 and
Win2k SP4.
It does cause issues in some instances, the most common problem
we have is that you do require WinXP with SP2 to do password changes
when the password has expired.
Berny
_____
From: thin-bounce@xxxxxxxxxxxxx [mailto:
thin-bounce@xxxxxxxxxxxxx <mailto:thin-bounce@xxxxxxxxxxxxx> ] On Behalf
Of Keith Sirmons
Sent: 24 January 2006 16:52
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Re: RestrictAnnoymous Registry Setting
Thank you for your help. I will give this a test and see if it
breaks anything.
Keith
Keith Sirmons
Microcomputer/LAN Administrator
College of Veterinary Medicine
>>> mythinlist@xxxxxxxxx 1/24/2006 10:36:18 AM >>>
i agree with jeff. the restrictanonymous setting disables the
ability of
a foreign pc/source from pulling information from you server
without
authenticating. there are apps that may depend on some of this
information. jeff is correct in suggesting that you test until
you pass
out and then have your PFY take over and test some more. You may
want to
try the 2 setting but I don't know what affect that will have on
citrix.
I've never been inclined to find out.
Jeff Pitsch wrote:
> As always when making a change (especially this one), test
TEst TEST!
> This is a setting that can break some software. Do not put
this into
> a production environment until you have tested it thoroughly
with all
> your applications.
>
> Jeff Pitsch
>
>
> On 1/24/06, *Keith Sirmons* < KSirmons@xxxxxxxxxxxx
<mailto:KSirmons@xxxxxxxxxxxx>
> <mailto:KSirmons@xxxxxxxxxxxx>> wrote:
>
> Howdy,
>
> I have Metaframe XP running on a windows 2000 server.
>
> After running the Microsoft Baseline Security Analyzer
from a MOM
> Server against the machine, I am getting an error about
the
> RestrictAnonymous registry setting being 0 instead of 2.
>
> Do you know if this needs to be set to 0 for Citrix, or
can I
> change it to 2 with out breaking Citrix?
>
> Thank you,
> Keith
>
>
>
> MOM Online
> <
http://support.microsoft.com/default.aspx?scid=mk;en-US;a33abf4cba6744d5
ad72bd574147304b
<http://support.microsoft.com/default.aspx?scid=mk;en-US;a33abf4cba6744d
5ad72bd574147304b> >
> Management Pack
> Summary
>
> The *RestrictAnonymous* registry setting controls the
level of
> enumeration granted to an Anonymous user.
>
> Anonymous users can use a variety of information about
your system
> in an attack on your system. For example, the list of user
names
> and share names could help potential attackers identify
who is an
> Administrator, which computers have weak account
protection, and
> which computers share information with the network.
>
>
> Causes
>
> If *RestrictAnonymous* is set to *0* (the default
setting), any
> user can obtain system information, including user names
and
> details, account policies, and share names. Anonymous
users can
> use this information in an attack on your system.
>
>
> Resolutions
>
> To restrict anonymous connections from accessing system
> information, change the *RestrictAnonymous* security
settings. You
> can do this through the Security Configuration Manager
snap-in.
> (The setting is defined in Local Policies in the default
security
> templates.) or through the registry editor. In
> Microsoft(r) Windows(r) NT(r) Server 4.0, you should
change the
> registry setting from *0* to *1* . in Windows(r) 2000
Server, you
> should change it from *0* to *1* or *2*.
>
> 0 - None. Rely on default permissions.
>
> 1 - Do not allow enumeration of Security Accounts Manager
(SAM)
> accounts and names.
>
> 2 - No access without explicit anonymous permissions. (Not
> available on Windows NT 4.0 Server.)
>
> *Caution*
>
> *
>
> *
>
>
> *We recommend that you do not set this value to *2* on
domain
> controllers or computers running Small Business Server
(SBS) in
> mixed-mode environments (for example, networks running
older
> versions of Windows). In addition, client machines with
> *RestrictAnonymous* set to *2* should not take on the role
of
> master browser. For more details on configuring
*RestrictAnonymous
> *on domain controllers and in Windows(r) 2000
environments, and to
> better understand potential compatibility issues when
using this
> setting, refer to the Microsoft Knowledge Base articles
that are
> listed later in this document.
>
> *Note*
>
> *
>
> *
>
>
> *In Windows(r) XP, there is a new
*EveryoneIncludesAnonymous
> *registry setting that controls whether permissions given
to the
> built-in Everyone group apply to Anonymous users. By
default,
> permissions granted to the Everyone group do not apply to
> Anonymous users in Windows(r) XP. This provides the same
level of
> Anonymous user restrictions as the *RestrictAnonymous*
setting in
> previous Windows operating systems. The
> *EveryoneIncludesAnonymous* setting can be configured
through the
> Security Configuration Manager (SCM) snap-in on computers
running
> Windows(r) XP Professional or through a registry editor.
(In SCM,
> the setting is defined in the Local Policies portion of
the
> security template.) This setting is located in the same
registry
> key as *RestrictAnonymous*.
>
> External Knowledge Sources
>
> For more information about managing the RestrictAnonymous
setting,
> see:
>
> * "Restricting Information Available to Anonymous
Logon Users
> (143474) (Windows NT 4.0)" at
> http://go.microsoft.com/fwlink/?LinkID=16955 on the
> Microsoft Web site.
> * "How to Use the RestrictAnonymous Registry Value in
> Windows 2000" at
> http://go.microsoft.com/fwlink/?LinkID=16956
> <http://go.microsoft.com/fwlink/?LinkID=16956 > on
the
> Microsoft Web site.
>
>
> Sample Event
>
> None
>
>
> Related Events
>
> None
>
>
> Other Information
>
> None
>
>
>
> (c) 2000-2004 Microsoft Corporation, all rights reserved.
>
>
> Keith Sirmons
> Microcomputer/LAN Administrator
> College of Veterinary Medicine
>
>
>
************************************************
For Archives, RSS, to Unsubscribe, Subscribe or
set Digest or Vacation mode use the below link:
//www.freelists.org/list/thin
************************************************
________________________________________________________________________
This e-mail has been scanned for all viruses by Star. The
service is powered by MessageLabs. For more information on a
proactive
anti-virus service working around the clock, around the globe,
visit:
http://www.star.net.uk <http://www.star.net.uk/>
________________________________________________________________________
______________________________________________________________________
The contents of this transmission are confidential. If you are
not the
named addressee or if it has been addressed to you in error,
please
notify the sender immediately and then delete this message.
Any unauthorised copying and transmission is forbidden.
Electronic
transmissions cannot be guaranteed to be secure. If verification
is
required, please contact the sender.
______________________________________________________________________
________________________________________________________________________
This e-mail has been scanned for all viruses by Star. The
service is powered by MessageLabs. For more information on a proactive
anti-virus service working around the clock, around the globe, visit:
http://www.star.net.uk
________________________________________________________________________
______________________________________________________________________
The contents of this transmission are confidential. If you are not the
named addressee or if it has been addressed to you in error, please
notify the sender immediately and then delete this message.
Any unauthorised copying and transmission is forbidden. Electronic
transmissions cannot be guaranteed to be secure. If verification is
required, please contact the sender.
______________________________________________________________________
Other related posts:
