Yup. This is part of the LanMan server settings, so it's on all Windows 2000 versions. I guess on Pro you don't have to worry about the DC issues. Dan >From: "Sorin Srbu" <sorin@xxxxxxxxxxxxx> >Reply-To: windows2000@xxxxxxxxxxxxx >To: "windows2000@xxxxxxxxxxxxx" <windows2000@xxxxxxxxxxxxx> >Subject: [windows2000] Re: Anon logon >Date: Thu, 08 Aug 2002 08:44:32 +0200 > > >On Wed, 07 Aug 2002 11:17:26 -0400, Daniel Angelucci wrote: > > >There a series of things use the anonymous logon. I would recommend > >disabling it, but inevitably things may break as a result. In order to > >disable anonymous logons, go to the local security policy of the machine >(or > >implement through group policy) and look for the entry under security > >options for "Additional Restricitions for Anonymous Connections." Change > >the value to "No Access Without Explicit Permissions". > > > >Also, change the permissions on the registry key > >"HKLM\System|CurrentControlSet\Services\LanManServer\Parameters\NullSessionPipes" > >so that the everyone group cannot read this key. > > > >Also, set the key RestrictNullSessAccess to "1". This is the default. > > > >Reboot, then prepare for calls. I can tell you that some things will >break > >for sure. If you have downlevel domain controllers, this will prevent >them > >from communicating with your 2000 DCs. In addition, several programs use > >the Null bind to enumerate resources on your network. Some Xerox >software > >we use has this problem. Xerox does not appear interested in fixing >this. > > > >Now, to actually answer your question, anonymous connections to your DCs >or > >servers are connections that are made for the purposes of enumerating > >resources. The three most common are inter-domain trusts with NT 4.0 > >domains, intra-domain communication with NT 4.0 BDCs and (strangely) > >printing services from non-domain or Windows 95/98 machines. Basically > >these services count on being able to see the resources available on >these > >servers without logging on. Your event log is showing that someone has >done > >this. Anonymous binds to my downlevel BDC is the single most used >exploit > >to get information about my user accounts, groups and shares. > > > >I believe that the NIMDA virus also used the null session to enumerate > >attackable shares. > >Does all of the above also apply to win2k pro? > > >>From: "Sorin Srbu" <sorin@xxxxxxxxxxxxx> > >>Reply-To: windows2000@xxxxxxxxxxxxx > >>To: "windows2000@xxxxxxxxxxxxx" <windows2000@xxxxxxxxxxxxx> > >>Subject: [windows2000] Re: Anon logon > >>Date: Wed, 07 Aug 2002 10:04:03 +0200 > >> > >> > >>On Tue, 06 Aug 2002 15:35:40 +0000, bbeckett2000@xxxxxxxxx wrote: > >> > >> >What is the NT Authority\Anonymous logon used for? > >> >I have sporadic entries in my logs > >> > >>I'd like to know too. Eventid.net wasn't helping... > > >BW, > > Sorin > ># Sorin Srbu, Systems Engineer Email: sorin.srbu@xxxxxxxxxxxxx ># Department of Medical Chemistry, Web: http://www.farmaci.uu.se ># Division of Organic Pharmaceutical Chemistry, Phone: +46-18-471-4482 >>> 5 >signals >> GSM ># BMC, Box 574, Uppsala University Cell Phone: +46-701-718023 ># SE-751 23 Uppsala, Sweden Fax: +46-18-471-4474 ># Visit: BMC, Husargatan 3, D5:512b ># ># Public PGP key available on request. > > > > >This Weeks Sponsor >================================== >CPU seNTinel by OneApp >Definitive Control over Individual Applications CPU utilization >http://www.oneapp.co.uk/site/sentinel > >================================== >To Unsubscribe, set digest or vacation >mode or view archives use the below link. > >http://thethin.net/win2000list.cfm _________________________________________________________________ MSN Photos is the easiest way to share and print your photos: http://photos.msn.com/support/worldwide.aspx This Weeks Sponsor ================================== CPU seNTinel by OneApp Definitive Control over Individual Applications CPU utilization http://www.oneapp.co.uk/site/sentinel ================================== To Unsubscribe, set digest or vacation mode or view archives use the below link. http://thethin.net/win2000list.cfm