• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1013
  • Last Modified:

Restrct Anonymous Logon

I have a 2003 box that I noticed in event viewer was allowing Anonymous connections Event id 538 and 540.
I don't like anonymous logons and there is no reason that users should need to access this particular server anonymously.


Researching this I found the following settings in GP were supposed to prevent Anonymous connections.

Local computer policy
comp config/windows settings/security settings/local policies/security options

allow anonymous sid/name translation = dissabled
do not allow anonymous enumeration of sam accounts = enabled
do not allow anonymous enumeration of sam accounts and shares = enabled
let everyone permissions apply to anonymous users = dissabled
restrict anonymous access to named pipes and shares = enabled
shares that can be accessed anonymously = blank  


Anonymous logons are still happening, even worse it is happening from computers outside of my Domain.
My main goal is to prevent all anonymous access to this machine.

I'm sure that I am not alone in my concern with anonymous logons or this particular problem.

Any help you can provide will be appreciated.
Rgds,
USKOR
0
uskor
Asked:
uskor
1 Solution
 
BNettles73Commented:


What functions and roles does this server provide?
Is this server internet accessible? WWW, Email, OWA, etc?
Is this server a DC/GC?

Have you read through this article?

Securing a Windows 2003 Server
http://www.microsoft.com/technet/security/guidance/secmod119.mspx

Have you considered sniffing the traffic?

I know you could restrict anonymous access over the network, in older versions of NT by using modifying the registry ...

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA and change the RestrictAnonymous value to 1

may want to verify and/or test it on a non production box ...
0
 
itsphantomCommented:
If it is coming from outside of your network I would start by doing a penetration test from outside my network. I assume this server is in a DMZ or a SCREENED SUBNET? If so what kind of firewalls is the server behind?
0
 
uskorAuthor Commented:
The server is not on a DMZ, we are part of a multipe master domain model with trusts etc which is part of the reason that the connections are coming from users on other domains.
The server is not directly accessible from the web and sits behind well maintained firewalls.
I reviewed the article that you sent BNettles And I think that I found what I am looking for in it. I will test tonight and see if it works.
If it does I will award the points to you.

Thanks all
USKOR
0
Cloud Class® Course: CompTIA Cloud+

The CompTIA Cloud+ Basic training course will teach you about cloud concepts and models, data storage, networking, and network infrastructure.

 
uskorAuthor Commented:
Still no Joy,

I added the group to deny access this computer from a network option in Group policy for the local machine.

I'm Looking for an easy answer here not an indepth security analysis.

Again all I want to be able to do is prevent anonymous logon on this one particular machine.
0
 
BNettles73Commented:

Check out this article ...
How to Use the RestrictAnonymous Registry Value in Windows 2000 (for 2K but relevant for 2K3)
http://support.microsoft.com/default.aspx?scid=kb;EN-US;246261
0
 
uskorAuthor Commented:
This does not apply to Server 2003.
there is no "Additional restrictions for anonymous connections" object.

any other ideas?
0
 
BNettles73Commented:
You tried this and it didn't work?

RestrictAnonymous Registry Value
Use Registry Editor to view the following registry key, and then add the following value to this key, or modify it if the value already exists:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA

Value: RestrictAnonymous
Value Type: REG_DWORD
Value Data: 0x2 (Hex)

Restart the computer after any change to the RestrictAnonymous key in the registry.

When the RestrictAnonymous registry value is set to 2, the access token built for non-authenticated users does not include the Everyone group, and because of this, the access token no longer has access to those resources which grant permissions to the Everyone group. This could cause undesired behavior because many Windows 2000 services, as well as third-party programs, rely on anonymous access capabilities to perform legitimate tasks.

For example, when an administrator in a trusting domain wants to grant local access to a user in a trusted domain, there may be a need to enumerate the users in the trusted domain. Because the trusted domain cannot authenticate the administrator in the trusting domain, an anonymous enumeration may be used. The benefits of restricting the capabilities of anonymous users from a security perspective should be weighed against the corresponding requirements of services and programs that rely on anonymous access for complete functionality.

The following tasks are restricted when the RestrictAnonymous registry value is set to 2 on a Windows 2000-based domain controller:
Down-level member workstations or servers are not able to set up a netlogon secure channel.
Down-level domain controllers in trusting domains are not be able to set up a netlogon secure channel.
Microsoft Windows NT users are not able to change their passwords after they expire. Also, Macintosh users are not able to change their passwords at all.
The Browser service is not able to retrieve domain lists or server lists from backup browsers, master browsers or domain master browsers that are running on computers with the RestrictAnonymous registry value set to 2. Because of this, any program that relies on the Browser service does not function properly.
Because of these results, it is not recommended that you set the RestrictAnonymous registry value to 2 in mixed-mode environments that include down-level clients. Setting the RestrictAnonymous registry value to 2 should only be considered in Windows 2000 environments only, and after sufficient quality assurance tests have verified that appropriate service levels and program functionality is maintained.

NOTE: Pre-defined "High Secure" security templates set the RestrictAnonymous registry value to 2, and because of this, caution should be used when using these templates.

For additional information about the RestrictAnonymous registry value, click the article number below to view the article in the Microsoft Knowledge Base:
178640 Could Not Find Domain Controller When Establishing a Trust

RestrictAnonymous is set by changing the registry key to 0 or 1 for Windows NT 4.0 or to 0, 1, or 2 for Windows 2000. These numbers correspond to the following settings:

0 None. Rely on default permissions

1 Do not allow enumeration of SAM accounts and names

2 No access without explicit anonymous permissions
0
 
uskorAuthor Commented:
Bnettles,
sorry for the delayed response, things as they do, got hectic for a while.

For the record, I set the reg value to 2 and so far for the past 2 nights, no anonymous logons.
I was, I admit, a little apprehensive as the only machine I had to test the reg hack was a production machine...... but all functional programs are working with the new setting in place.

I would like with your permission to give it 2 more days and if no anonymous connections have been made, award you the points.

thanks for all the info so far.
I will check back in the morning
RGDS,
USKOR.
0
 
BNettles73Commented:
np ... take as long as you like.

Brian
0
 
uskorAuthor Commented:
Brian,
I changed the value to 2 for the following strings in the following key
restrictanonymous=2
restrictanonymoussam=2
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA

Rebooted for the changes to take effect and for the first day all was ok.
This morning on the other hand i saw Anonymous connections coming in from trusted domains again.

I'm Baffled,
Really would like an answer to this one and not have to file it away in the doesn't make sense drawer
Thanks so for the info so far
Reuben.
0
 
BNettles73Commented:

Have you tried sniffing the packets to find out where they are being generated? I'm wondering if it isn't the behavior of some sort of software that is loaded on source or destination ... sorry for the slow response, I was traveling and not checking in much ...
0
 
uskorAuthor Commented:
Yes, I have been capturing traffic with ethereal,
I know the traffic is being generated by machines on trusted domains, I have not analyzed the traffic though. Trying to piece together a TCP stream is still a little beyony my skillset.

Opening the "doesn't make sense drawer" as I type.
USKOR
0
 
BNettles73Commented:

Read through this link and see if we missed anything ....

http://www.microsoft.com/technet/Security/prodtech/win2000/secwin2k/06basewn.mspx (still applicable for 2k3)

Do you have IIS installed on that box? If you don't need it ... remove it ....
I would remove all unneeded applications one by one, including the unneeded windows stuff (games etc ..) and monitor connections after each app is removed ...

Make sure you document as you go =) ... I'll look around later today and try to find something ... have you been to the NSA's website ... sometimes you can find some decent security docs there ...

0
 
BNettles73Commented:
Any luck?
0
 
uskorAuthor Commented:
Still nothing,
IIS is not installed and there are not any  non critical programms on the box.
I'm at a loss.
0
 
BNettles73Commented:


Here are a few other links ... might provide some insight as to why you are experiencing the anon logons ... I'll be back off vacation in a week and can discuss more then =)

http://www.winnetmag.com/WindowsSecurity/Article/ArticleID/23067/23067.html
http://support.microsoft.com/kb/q143474/
http://www.windowsitlibrary.com/Content/121/04/5.html

If you have a tech republic membership - http://techrepublic.com.com/5100-6350-5287642.html

That being said -

If you are seeing logon type 3 is indicating a network logon for general file and print access. This is probably due to someone accessing a share or printer.

What resources are shared on the machine? Do you have Exchange or another application loaded up, that may be "talking" to other servers?

I'm pretty sure this link is posted above somewhere -
246261 How to Use the RestrictAnonymous Registry Value in Windows 2000 - http://kb/article.asp?id=Q246261 

From what I've read, Windows 2003 handles anonymous access a little differently in that it
disallows the anonymous functions themselves rather than general access, so to restrict anonymous access to the server you have to restrict the specific action you want to prevent (such as anonymous enumeration of shares and SAM).

0
 
Barron1299Commented:
Okay so I have been trying to do the reverse of this and create anon logon so that no creditensions are need. I want this to happen so that any computer that plugs into the network has full control of a share but no matter what I do the share requires either username and password or to be on the domain.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Cloud Class® Course: Microsoft Azure 2017

Azure has a changed a lot since it was originally introduce by adding new services and features. Do you know everything you need to about Azure? This course will teach you about the Azure App Service, monitoring and application insights, DevOps, and Team Services.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now