Restrict Anonymous Users

Check Description

This check determines whether the RestrictAnonymous registry setting is used to restrict anonymous connections on the scanned computer.

Anonymous users can list certain types of system information, including user names and details, account policies, and share names. Users who want enhanced security can restrict this function so that anonymous users cannot access this information.

Additional Information

The RestrictAnonymous registry setting controls the level of enumeration that is granted to an anonymous user. You can set this to any of the following values:

0 - None. Rely on default permissions.

1 - Do not allow enumeration of Security Accounts Manager (SAM) accounts and names.

2 - No access without explicit anonymous permissions (not available on Microsoft® Windows NT® 4.0).

We do not recommend setting RestrictAnonymous to 2 on domain controllers or on computers running Small Business Server (SBS) unless they are in pure Windows® 2000 environments and have been tested for application compatibility. For more details on configuring RestrictAnonymous on domain controllers and in Windows 2000 environments, and to better understand potential compatibility issues when using this setting, refer to the Microsoft Knowledge Base articles that are listed later in this document.

Note

In Windows XP, there is a new registry setting (EveryoneIncludesAnonymous) that controls whether permissions given to the built-in Everyone group apply to anonymous users. By default, permissions granted to the Everyone group do not apply to anonymous users in Windows XP, which therefore provides the same level of anonymous user restrictions as the RestrictAnonymous setting in previous Windows operating systems.

Additional Resources

Restricting Information Available to Anonymous Logon Users (143474) (Windows NT 4.0)

How to Use the RestrictAnonymous Registry Value in Windows 2000 (246261)