?
Solved

Restrct Anonymous Logon

Posted on 2004-09-11
19
Medium Priority
?
1,001 Views
Last Modified: 2009-01-14
I have a 2003 box that I noticed in event viewer was allowing Anonymous connections Event id 538 and 540.
I don't like anonymous logons and there is no reason that users should need to access this particular server anonymously.


Researching this I found the following settings in GP were supposed to prevent Anonymous connections.

Local computer policy
comp config/windows settings/security settings/local policies/security options

allow anonymous sid/name translation = dissabled
do not allow anonymous enumeration of sam accounts = enabled
do not allow anonymous enumeration of sam accounts and shares = enabled
let everyone permissions apply to anonymous users = dissabled
restrict anonymous access to named pipes and shares = enabled
shares that can be accessed anonymously = blank  


Anonymous logons are still happening, even worse it is happening from computers outside of my Domain.
My main goal is to prevent all anonymous access to this machine.

I'm sure that I am not alone in my concern with anonymous logons or this particular problem.

Any help you can provide will be appreciated.
Rgds,
USKOR
0
Comment
Question by:uskor
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
19 Comments
 
LVL 12

Expert Comment

by:BNettles73
ID: 12037267


What functions and roles does this server provide?
Is this server internet accessible? WWW, Email, OWA, etc?
Is this server a DC/GC?

Have you read through this article?

Securing a Windows 2003 Server
http://www.microsoft.com/technet/security/guidance/secmod119.mspx

Have you considered sniffing the traffic?

I know you could restrict anonymous access over the network, in older versions of NT by using modifying the registry ...

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA and change the RestrictAnonymous value to 1

may want to verify and/or test it on a non production box ...
0
 

Expert Comment

by:itsphantom
ID: 12040945
If it is coming from outside of your network I would start by doing a penetration test from outside my network. I assume this server is in a DMZ or a SCREENED SUBNET? If so what kind of firewalls is the server behind?
0
 

Author Comment

by:uskor
ID: 12058680
The server is not on a DMZ, we are part of a multipe master domain model with trusts etc which is part of the reason that the connections are coming from users on other domains.
The server is not directly accessible from the web and sits behind well maintained firewalls.
I reviewed the article that you sent BNettles And I think that I found what I am looking for in it. I will test tonight and see if it works.
If it does I will award the points to you.

Thanks all
USKOR
0
Get real performance insights from real users

Key features:
- Total Pages Views and Load times
- Top Pages Viewed and Load Times
- Real Time Site Page Build Performance
- Users’ Browser and Platform Performance
- Geographic User Breakdown
- And more

 

Author Comment

by:uskor
ID: 12064798
Still no Joy,

I added the group to deny access this computer from a network option in Group policy for the local machine.

I'm Looking for an easy answer here not an indepth security analysis.

Again all I want to be able to do is prevent anonymous logon on this one particular machine.
0
 
LVL 12

Expert Comment

by:BNettles73
ID: 12064872

Check out this article ...
How to Use the RestrictAnonymous Registry Value in Windows 2000 (for 2K but relevant for 2K3)
http://support.microsoft.com/default.aspx?scid=kb;EN-US;246261
0
 

Author Comment

by:uskor
ID: 12066301
This does not apply to Server 2003.
there is no "Additional restrictions for anonymous connections" object.

any other ideas?
0
 
LVL 12

Expert Comment

by:BNettles73
ID: 12066363
You tried this and it didn't work?

RestrictAnonymous Registry Value
Use Registry Editor to view the following registry key, and then add the following value to this key, or modify it if the value already exists:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA

Value: RestrictAnonymous
Value Type: REG_DWORD
Value Data: 0x2 (Hex)

Restart the computer after any change to the RestrictAnonymous key in the registry.

When the RestrictAnonymous registry value is set to 2, the access token built for non-authenticated users does not include the Everyone group, and because of this, the access token no longer has access to those resources which grant permissions to the Everyone group. This could cause undesired behavior because many Windows 2000 services, as well as third-party programs, rely on anonymous access capabilities to perform legitimate tasks.

For example, when an administrator in a trusting domain wants to grant local access to a user in a trusted domain, there may be a need to enumerate the users in the trusted domain. Because the trusted domain cannot authenticate the administrator in the trusting domain, an anonymous enumeration may be used. The benefits of restricting the capabilities of anonymous users from a security perspective should be weighed against the corresponding requirements of services and programs that rely on anonymous access for complete functionality.

The following tasks are restricted when the RestrictAnonymous registry value is set to 2 on a Windows 2000-based domain controller:
Down-level member workstations or servers are not able to set up a netlogon secure channel.
Down-level domain controllers in trusting domains are not be able to set up a netlogon secure channel.
Microsoft Windows NT users are not able to change their passwords after they expire. Also, Macintosh users are not able to change their passwords at all.
The Browser service is not able to retrieve domain lists or server lists from backup browsers, master browsers or domain master browsers that are running on computers with the RestrictAnonymous registry value set to 2. Because of this, any program that relies on the Browser service does not function properly.
Because of these results, it is not recommended that you set the RestrictAnonymous registry value to 2 in mixed-mode environments that include down-level clients. Setting the RestrictAnonymous registry value to 2 should only be considered in Windows 2000 environments only, and after sufficient quality assurance tests have verified that appropriate service levels and program functionality is maintained.

NOTE: Pre-defined "High Secure" security templates set the RestrictAnonymous registry value to 2, and because of this, caution should be used when using these templates.

For additional information about the RestrictAnonymous registry value, click the article number below to view the article in the Microsoft Knowledge Base:
178640 Could Not Find Domain Controller When Establishing a Trust

RestrictAnonymous is set by changing the registry key to 0 or 1 for Windows NT 4.0 or to 0, 1, or 2 for Windows 2000. These numbers correspond to the following settings:

0 None. Rely on default permissions

1 Do not allow enumeration of SAM accounts and names

2 No access without explicit anonymous permissions
0
 

Author Comment

by:uskor
ID: 12129789
Bnettles,
sorry for the delayed response, things as they do, got hectic for a while.

For the record, I set the reg value to 2 and so far for the past 2 nights, no anonymous logons.
I was, I admit, a little apprehensive as the only machine I had to test the reg hack was a production machine...... but all functional programs are working with the new setting in place.

I would like with your permission to give it 2 more days and if no anonymous connections have been made, award you the points.

thanks for all the info so far.
I will check back in the morning
RGDS,
USKOR.
0
 
LVL 12

Expert Comment

by:BNettles73
ID: 12133060
np ... take as long as you like.

Brian
0
 

Author Comment

by:uskor
ID: 12137829
Brian,
I changed the value to 2 for the following strings in the following key
restrictanonymous=2
restrictanonymoussam=2
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA

Rebooted for the changes to take effect and for the first day all was ok.
This morning on the other hand i saw Anonymous connections coming in from trusted domains again.

I'm Baffled,
Really would like an answer to this one and not have to file it away in the doesn't make sense drawer
Thanks so for the info so far
Reuben.
0
 
LVL 12

Expert Comment

by:BNettles73
ID: 12180800

Have you tried sniffing the packets to find out where they are being generated? I'm wondering if it isn't the behavior of some sort of software that is loaded on source or destination ... sorry for the slow response, I was traveling and not checking in much ...
0
 

Author Comment

by:uskor
ID: 12234341
Yes, I have been capturing traffic with ethereal,
I know the traffic is being generated by machines on trusted domains, I have not analyzed the traffic though. Trying to piece together a TCP stream is still a little beyony my skillset.

Opening the "doesn't make sense drawer" as I type.
USKOR
0
 
LVL 12

Expert Comment

by:BNettles73
ID: 12237391

Read through this link and see if we missed anything ....

http://www.microsoft.com/technet/Security/prodtech/win2000/secwin2k/06basewn.mspx (still applicable for 2k3)

Do you have IIS installed on that box? If you don't need it ... remove it ....
I would remove all unneeded applications one by one, including the unneeded windows stuff (games etc ..) and monitor connections after each app is removed ...

Make sure you document as you go =) ... I'll look around later today and try to find something ... have you been to the NSA's website ... sometimes you can find some decent security docs there ...

0
 
LVL 12

Expert Comment

by:BNettles73
ID: 12252676
Any luck?
0
 

Author Comment

by:uskor
ID: 12621331
Still nothing,
IIS is not installed and there are not any  non critical programms on the box.
I'm at a loss.
0
 
LVL 12

Accepted Solution

by:
BNettles73 earned 800 total points
ID: 12621770


Here are a few other links ... might provide some insight as to why you are experiencing the anon logons ... I'll be back off vacation in a week and can discuss more then =)

http://www.winnetmag.com/WindowsSecurity/Article/ArticleID/23067/23067.html
http://support.microsoft.com/kb/q143474/
http://www.windowsitlibrary.com/Content/121/04/5.html

If you have a tech republic membership - http://techrepublic.com.com/5100-6350-5287642.html

That being said -

If you are seeing logon type 3 is indicating a network logon for general file and print access. This is probably due to someone accessing a share or printer.

What resources are shared on the machine? Do you have Exchange or another application loaded up, that may be "talking" to other servers?

I'm pretty sure this link is posted above somewhere -
246261 How to Use the RestrictAnonymous Registry Value in Windows 2000 - http://kb/article.asp?id=Q246261 

From what I've read, Windows 2003 handles anonymous access a little differently in that it
disallows the anonymous functions themselves rather than general access, so to restrict anonymous access to the server you have to restrict the specific action you want to prevent (such as anonymous enumeration of shares and SAM).

0
 
LVL 1

Expert Comment

by:Barron1299
ID: 23377399
Okay so I have been trying to do the reverse of this and create anon logon so that no creditensions are need. I want this to happen so that any computer that plugs into the network has full control of a share but no matter what I do the share requires either username and password or to be on the domain.
0

Featured Post

Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

by Batuhan Cetin Within the dynamic life of an IT administrator, we hold many information in our minds like user names, passwords, IDs, phone numbers, incomes, service tags, bills and the order from our wives to buy milk when coming back to home.…
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…
In this video, Percona Solution Engineer Rick Golba discuss how (and why) you implement high availability in a database environment. To discuss how Percona Consulting can help with your design and architecture needs for your database and infrastr…
Suggested Courses

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question