Access Denied: Preventing Anonymous Users from Gaining Access to Files and Other Resources

I've heard that including the Everyone group in ACLs is dangerous and that I should replace Everyone with Authenticated Users to prevent anonymous users from gaining access to my files and other resources. Should I make this replacement?

Although people often overstate the risks of using the Everyone group, you should know what those risks are. First, let me address the problem that anonymous connections pose. Then, I discuss how anonymous connections and the Everyone group are associated and show you how to address the risk their association presents.

By default, Windows 2000 and Windows NT let anonymous connections list usernames and shares. This default supports users who use Network Neighborhood to browse share folders in a trusted domain in which the trust relationship is one-way. However, the anonymous connection provides information (e.g., usernames, SIDs from the SAM) that a potential attacker who might be reconnoitering your network to target account names can use.

You can use Group Policy to prevent people from getting this information through anonymous connections. You can find the policy you need in any Group Policy Object (GPO) in computer configurationwindows settingssecurity settingslocal policiessecurity options. Set Additional restrictions for anonymous access to Do not allow enumeration of SAM accounts and shares.

Now, let me discuss administrators' concerns about the risks of Everyone and anonymous connections—namely, that the Everyone group includes anonymous connections. As you've probably noticed, Everyone is used extensively in default ACLs for files and other objects. Because administrators feared the potential vulnerabilities of having Everyone listed in default ACLs, Microsoft added the Authenticated Users group.

However, you don't need to replace every occurrence of Everyone with Authenticated Users to make sure that anonymous connections never access your resources. Instead, set Additional restrictions for anonymous access to No access without explicit anonymous permissions. This setting prevents Win2K from adding Everyone to the access token of anonymous connections at logon. If an anonymous user tries to access an object, the access token doesn't contain Everyone, and the permissions granted to Everyone won't apply.

The biggest danger that the Everyone group poses is in multiple-domain environments. Designating Everyone in a standalone domain is different from designating Everyone in a domain that trusts one or more other domains. In a standalone domain, Everyone simply designates all users in that domain. But when domain A trusts domain B, Everyone includes all the users in domain A and domain B. In an AD forest, all domains trust each other—so Everyone includes all users in the entire forest. If you want to limit access to the users of just one domain, use Domain Users instead of Everyone in ACLs.