Restricting Anonymous Connections in Win2K
December 2, 2007
What happened to the Additional restrictions for anonymous connections setting in Group Policy Objects (GPOs) on Windows Server 2003 and Windows XP computers? This setting appears in GPOs viewed on Windows 2000 systems but not on systems running XP or later.
The Additional restrictions for anonymous connections policy corresponds to the Network access: Do not allow anonymous enumeration of SAM accounts and shares policy, which you see only when editing GPOs under Windows 2003 or XP. On Win2K, you can set the Additional restrictions for anonymous connections policy to one of three values: None. Rely on default permissions; Do not allow enumeration of SAM accounts and shares; or No access without explicit anonymous permissions. The None. Rely on default permissions value allows anonymous enumeration of local accounts and shares. Do not allow enumeration of SAM accounts and shares does what the name says but still allows some information leakage. For instance, an attacker can still get the system to translate a SID to a username, which allows the attacker to discover the name of the Administrator account, even if you've renamed it. No access without explicit anonymous permissions disables anonymous connections altogether. The second and third values can cause compatibility problems among the systems on your network, especially if your network has pre-Win2K computers.
— Randy Franklin Smith
About the Author
You May Also Like