The RestrictAnonymous registry setting controls the level of enumeration granted to an anonymous user. If RestrictAnonymous is set to 0 (that is, the default setting), any user can obtain system information, including: user names and details, account policies, and share names. Anonymous users can use this information in an attack against your system. The list of user names and share names could help potential attackers identify who is an administrator, which computers have weak account protection, and which computers share information with the network.
Solution
To restrict anonymous connections from accessing this system information, change the RestrictAnonymous security settings. You can do this through the Security Configuration Manager snap-in (setting is defined in the Local Policies portion of the default security templates), or through a registry editor. You can change the registry setting from 0 to 1 in Microsoft Windows NT 4.0, or from 0 to 1 or 2 in Windows 2000:
0 - None. Rely on default permissions
1 - Do not allow enumeration of Security Accounts Manager (SAM) accounts and names
2 - No access without explicit anonymous permissions (not available on Windows NT 4.0)
Caution: Before you set this value to 2, see article Q246261, "How to Use the RestrictAnonymous Registry Value in Windows 2000." It is recommended that you do not set this value to 2 on Domain Controllers in mixed-mode environments (e.g., networks with downlevel clients). In addition, client machines with RestrictAnonymous set to 2 should not take on the role of master browser.
Additional Information
The RestrictAnonymous registry key controls the level of enumeration granted to an anonymous user. This key can be set to any of the following values:
0 - None. Rely on default permissions
1 - Do not allow enumeration of SAM accounts and names
2 - No access without explicit anonymous permissions (not available on Windows NT 4.0
Note: In Windows XP there is a new registry setting (EveryoneIncludesAnonymous) that controls whether permissions given to the the built-in Everyone group apply to anonymous users. By default, permissions granted to the Everyone group do not apply to anonymous users in Windows XP, which therefore provides the same level of anonymous user restrictions as the RestrictAnonymous setting in previous Windows operating systems. The EveryoneIncludesAnonymous setting can be configured through the Security Configuration Manager snap-in (setting is defined in the Local Policies portion of the security template) on Windows XP Professional systems, or through a registry editor. This setting is located within the same registry key as RestrictAnonymous (see the Knowledge Base articles below for registry path information).
Restricting Information Available to Anonymous Logon Users (Q143474) (Windows NT 4.0)
How to Use the RestrictAnonymous Registry Value in Windows 2000 (Q246261)
⌐ 2002 Microsoft Corporation. All rights reserved.