Restrct Anonymous Logon

Posted on 2004-09-11
Medium Priority
Last Modified: 2009-01-14
I have a 2003 box that I noticed in event viewer was allowing Anonymous connections Event id 538 and 540.
I don't like anonymous logons and there is no reason that users should need to access this particular server anonymously.

Researching this I found the following settings in GP were supposed to prevent Anonymous connections.

Local computer policy
comp config/windows settings/security settings/local policies/security options

allow anonymous sid/name translation = dissabled
do not allow anonymous enumeration of sam accounts = enabled
do not allow anonymous enumeration of sam accounts and shares = enabled
let everyone permissions apply to anonymous users = dissabled
restrict anonymous access to named pipes and shares = enabled
shares that can be accessed anonymously = blank  

Anonymous logons are still happening, even worse it is happening from computers outside of my Domain.
My main goal is to prevent all anonymous access to this machine.

I'm sure that I am not alone in my concern with anonymous logons or this particular problem.

Any help you can provide will be appreciated.
Question by:uskor
LVL 12

Expert Comment

ID: 12037267

What functions and roles does this server provide?
Is this server internet accessible? WWW, Email, OWA, etc?
Is this server a DC/GC?

Have you read through this article?

Securing a Windows 2003 Server

Have you considered sniffing the traffic?

I know you could restrict anonymous access over the network, in older versions of NT by using modifying the registry ...

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA and change the RestrictAnonymous value to 1

may want to verify and/or test it on a non production box ...

Expert Comment

ID: 12040945
If it is coming from outside of your network I would start by doing a penetration test from outside my network. I assume this server is in a DMZ or a SCREENED SUBNET? If so what kind of firewalls is the server behind?

Author Comment

ID: 12058680
The server is not on a DMZ, we are part of a multipe master domain model with trusts etc which is part of the reason that the connections are coming from users on other domains.
The server is not directly accessible from the web and sits behind well maintained firewalls.
I reviewed the article that you sent BNettles And I think that I found what I am looking for in it. I will test tonight and see if it works.
If it does I will award the points to you.

Thanks all
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.


Author Comment

ID: 12064798
Still no Joy,

I added the group to deny access this computer from a network option in Group policy for the local machine.

I'm Looking for an easy answer here not an indepth security analysis.

Again all I want to be able to do is prevent anonymous logon on this one particular machine.
LVL 12

Expert Comment

ID: 12064872

Check out this article ...
How to Use the RestrictAnonymous Registry Value in Windows 2000 (for 2K but relevant for 2K3)

Author Comment

ID: 12066301
This does not apply to Server 2003.
there is no "Additional restrictions for anonymous connections" object.

any other ideas?
LVL 12

Expert Comment

ID: 12066363
You tried this and it didn't work?

RestrictAnonymous Registry Value
Use Registry Editor to view the following registry key, and then add the following value to this key, or modify it if the value already exists:

Value: RestrictAnonymous
Value Type: REG_DWORD
Value Data: 0x2 (Hex)

Restart the computer after any change to the RestrictAnonymous key in the registry.

When the RestrictAnonymous registry value is set to 2, the access token built for non-authenticated users does not include the Everyone group, and because of this, the access token no longer has access to those resources which grant permissions to the Everyone group. This could cause undesired behavior because many Windows 2000 services, as well as third-party programs, rely on anonymous access capabilities to perform legitimate tasks.

For example, when an administrator in a trusting domain wants to grant local access to a user in a trusted domain, there may be a need to enumerate the users in the trusted domain. Because the trusted domain cannot authenticate the administrator in the trusting domain, an anonymous enumeration may be used. The benefits of restricting the capabilities of anonymous users from a security perspective should be weighed against the corresponding requirements of services and programs that rely on anonymous access for complete functionality.

The following tasks are restricted when the RestrictAnonymous registry value is set to 2 on a Windows 2000-based domain controller:
Down-level member workstations or servers are not able to set up a netlogon secure channel.
Down-level domain controllers in trusting domains are not be able to set up a netlogon secure channel.
Microsoft Windows NT users are not able to change their passwords after they expire. Also, Macintosh users are not able to change their passwords at all.
The Browser service is not able to retrieve domain lists or server lists from backup browsers, master browsers or domain master browsers that are running on computers with the RestrictAnonymous registry value set to 2. Because of this, any program that relies on the Browser service does not function properly.
Because of these results, it is not recommended that you set the RestrictAnonymous registry value to 2 in mixed-mode environments that include down-level clients. Setting the RestrictAnonymous registry value to 2 should only be considered in Windows 2000 environments only, and after sufficient quality assurance tests have verified that appropriate service levels and program functionality is maintained.

NOTE: Pre-defined "High Secure" security templates set the RestrictAnonymous registry value to 2, and because of this, caution should be used when using these templates.

For additional information about the RestrictAnonymous registry value, click the article number below to view the article in the Microsoft Knowledge Base:
178640 Could Not Find Domain Controller When Establishing a Trust

RestrictAnonymous is set by changing the registry key to 0 or 1 for Windows NT 4.0 or to 0, 1, or 2 for Windows 2000. These numbers correspond to the following settings:

0 None. Rely on default permissions

1 Do not allow enumeration of SAM accounts and names

2 No access without explicit anonymous permissions

Author Comment

ID: 12129789
sorry for the delayed response, things as they do, got hectic for a while.

For the record, I set the reg value to 2 and so far for the past 2 nights, no anonymous logons.
I was, I admit, a little apprehensive as the only machine I had to test the reg hack was a production machine...... but all functional programs are working with the new setting in place.

I would like with your permission to give it 2 more days and if no anonymous connections have been made, award you the points.

thanks for all the info so far.
I will check back in the morning
LVL 12

Expert Comment

ID: 12133060
np ... take as long as you like.


Author Comment

ID: 12137829
I changed the value to 2 for the following strings in the following key

Rebooted for the changes to take effect and for the first day all was ok.
This morning on the other hand i saw Anonymous connections coming in from trusted domains again.

I'm Baffled,
Really would like an answer to this one and not have to file it away in the doesn't make sense drawer
Thanks so for the info so far
LVL 12

Expert Comment

ID: 12180800

Have you tried sniffing the packets to find out where they are being generated? I'm wondering if it isn't the behavior of some sort of software that is loaded on source or destination ... sorry for the slow response, I was traveling and not checking in much ...

Author Comment

ID: 12234341
Yes, I have been capturing traffic with ethereal,
I know the traffic is being generated by machines on trusted domains, I have not analyzed the traffic though. Trying to piece together a TCP stream is still a little beyony my skillset.

Opening the "doesn't make sense drawer" as I type.
LVL 12

Expert Comment

ID: 12237391

Read through this link and see if we missed anything ....

http://www.microsoft.com/technet/Security/prodtech/win2000/secwin2k/06basewn.mspx (still applicable for 2k3)

Do you have IIS installed on that box? If you don't need it ... remove it ....
I would remove all unneeded applications one by one, including the unneeded windows stuff (games etc ..) and monitor connections after each app is removed ...

Make sure you document as you go =) ... I'll look around later today and try to find something ... have you been to the NSA's website ... sometimes you can find some decent security docs there ...

LVL 12

Expert Comment

ID: 12252676
Any luck?

Author Comment

ID: 12621331
Still nothing,
IIS is not installed and there are not any  non critical programms on the box.
I'm at a loss.
LVL 12

Accepted Solution

BNettles73 earned 800 total points
ID: 12621770

Here are a few other links ... might provide some insight as to why you are experiencing the anon logons ... I'll be back off vacation in a week and can discuss more then =)


If you have a tech republic membership - http://techrepublic.com.com/5100-6350-5287642.html

That being said -

If you are seeing logon type 3 is indicating a network logon for general file and print access. This is probably due to someone accessing a share or printer.

What resources are shared on the machine? Do you have Exchange or another application loaded up, that may be "talking" to other servers?

I'm pretty sure this link is posted above somewhere -
246261 How to Use the RestrictAnonymous Registry Value in Windows 2000 - http://kb/article.asp?id=Q246261 

From what I've read, Windows 2003 handles anonymous access a little differently in that it
disallows the anonymous functions themselves rather than general access, so to restrict anonymous access to the server you have to restrict the specific action you want to prevent (such as anonymous enumeration of shares and SAM).


Expert Comment

ID: 23377399
Okay so I have been trying to do the reverse of this and create anon logon so that no creditensions are need. I want this to happen so that any computer that plugs into the network has full control of a share but no matter what I do the share requires either username and password or to be on the domain.

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Setting up a Microsoft WSUS update system is free relatively speaking if you have hard disk space and processor capacity.   However, WSUS can be a blessing and a curse. For example, there is nothing worse than approving updates and they just have…
Learn about cloud computing and its benefits for small business owners.
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an anti-spam), the admin…
Look below the covers at a subform control , and the form that is inside it. Explore properties and see how easy it is to aggregate, get statistics, and synchronize results for your data. A Microsoft Access subform is used to show relevant calcul…

571 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question