Restrict Anonymous Users
Issue
The RestrictAnonymous registry setting controls the level
of enumeration granted to an anonymous user. If RestrictAnonymous is set to
0 (the default setting), any user can obtain system information, including:
user names and details, account policies, and share names. Anonymous users can use this information in an attack on your system. The list of user names and share names
could help potential attackers identify who is an administrator, which computers
have weak account protection, and which computers share information with
the network.
Solution
To restrict anonymous connections from accessing this system information,
change the RestrictAnonymous security settings. You can do this through
the Security Configuration Manager snap-in (the setting is defined in the Local
Policies portion of the default security templates) or through a registry
editor. You can change the registry setting from 0 to 1 in Microsoft® Windows NT® 4.0, or from 0 to 1 or 2 in Windows® 2000:
0 - None. Rely on default permissions.
1 - Do not allow enumeration of Security Accounts Manager (SAM) accounts and names.
2 - No access without explicit anonymous permissions (not available on Windows NT 4.0).
Caution
- Before you set this value to 2, see article 246261, "How to Use the RestrictAnonymous Registry Value in Windows 2000." We recommend that you do not set this value to 2 on domain controllers or computers running Small Business Server (SBS) in Mixed-Mode environments (for example, networks with downlevel clients). In addition, client machines with RestrictAnonymous set to 2 should not take on the role of master browser. For more details on configuring RestrictAnonymous on domain controllers and in Windows 2000 environments, and to better understand potential compatibility issues when using this setting, refer to the Microsoft Knowledge Base articles
that are listed later in this document.
Note
- In Windows XP, there is a new EveryoneIncludesAnonymous registry setting that controls whether permissions given to the built-in Everyone group apply to anonymous users. By default, permissions granted to the Everyone group do not apply to anonymous users in Windows XP. This provides the same level of anonymous user restrictions as the RestrictAnonymous setting in previous
Windows operating systems. The EveryoneIncludesAnonymous setting can be configured through the Security Configuration Manager snap-in (the setting is
defined in the Local Policies portion of the security template) on Windows XP Professional systems or through a registry editor. This setting is located within the same registry key as RestrictAnonymous. For registry path information, see the following Knowledge Base articles.
Additional Resources
Restricting Information Available to Anonymous Logon Users (143474) (Windows NT 4.0)
How to Use the RestrictAnonymous Registry Value in Windows 2000 (246261)
©2002-2004 Microsoft Corporation. All rights reserved.