Solved

Restrct Anonymous Logon

Posted on 2004-09-11
19
996 Views
Last Modified: 2009-01-14
I have a 2003 box that I noticed in event viewer was allowing Anonymous connections Event id 538 and 540.
I don't like anonymous logons and there is no reason that users should need to access this particular server anonymously.


Researching this I found the following settings in GP were supposed to prevent Anonymous connections.

Local computer policy
comp config/windows settings/security settings/local policies/security options

allow anonymous sid/name translation = dissabled
do not allow anonymous enumeration of sam accounts = enabled
do not allow anonymous enumeration of sam accounts and shares = enabled
let everyone permissions apply to anonymous users = dissabled
restrict anonymous access to named pipes and shares = enabled
shares that can be accessed anonymously = blank  


Anonymous logons are still happening, even worse it is happening from computers outside of my Domain.
My main goal is to prevent all anonymous access to this machine.

I'm sure that I am not alone in my concern with anonymous logons or this particular problem.

Any help you can provide will be appreciated.
Rgds,
USKOR
0
Comment
Question by:uskor
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
19 Comments
 
LVL 12

Expert Comment

by:BNettles73
ID: 12037267


What functions and roles does this server provide?
Is this server internet accessible? WWW, Email, OWA, etc?
Is this server a DC/GC?

Have you read through this article?

Securing a Windows 2003 Server
http://www.microsoft.com/technet/security/guidance/secmod119.mspx

Have you considered sniffing the traffic?

I know you could restrict anonymous access over the network, in older versions of NT by using modifying the registry ...

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA and change the RestrictAnonymous value to 1

may want to verify and/or test it on a non production box ...
0
 

Expert Comment

by:itsphantom
ID: 12040945
If it is coming from outside of your network I would start by doing a penetration test from outside my network. I assume this server is in a DMZ or a SCREENED SUBNET? If so what kind of firewalls is the server behind?
0
 

Author Comment

by:uskor
ID: 12058680
The server is not on a DMZ, we are part of a multipe master domain model with trusts etc which is part of the reason that the connections are coming from users on other domains.
The server is not directly accessible from the web and sits behind well maintained firewalls.
I reviewed the article that you sent BNettles And I think that I found what I am looking for in it. I will test tonight and see if it works.
If it does I will award the points to you.

Thanks all
USKOR
0
Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

 

Author Comment

by:uskor
ID: 12064798
Still no Joy,

I added the group to deny access this computer from a network option in Group policy for the local machine.

I'm Looking for an easy answer here not an indepth security analysis.

Again all I want to be able to do is prevent anonymous logon on this one particular machine.
0
 
LVL 12

Expert Comment

by:BNettles73
ID: 12064872

Check out this article ...
How to Use the RestrictAnonymous Registry Value in Windows 2000 (for 2K but relevant for 2K3)
http://support.microsoft.com/default.aspx?scid=kb;EN-US;246261
0
 

Author Comment

by:uskor
ID: 12066301
This does not apply to Server 2003.
there is no "Additional restrictions for anonymous connections" object.

any other ideas?
0
 
LVL 12

Expert Comment

by:BNettles73
ID: 12066363
You tried this and it didn't work?

RestrictAnonymous Registry Value
Use Registry Editor to view the following registry key, and then add the following value to this key, or modify it if the value already exists:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA

Value: RestrictAnonymous
Value Type: REG_DWORD
Value Data: 0x2 (Hex)

Restart the computer after any change to the RestrictAnonymous key in the registry.

When the RestrictAnonymous registry value is set to 2, the access token built for non-authenticated users does not include the Everyone group, and because of this, the access token no longer has access to those resources which grant permissions to the Everyone group. This could cause undesired behavior because many Windows 2000 services, as well as third-party programs, rely on anonymous access capabilities to perform legitimate tasks.

For example, when an administrator in a trusting domain wants to grant local access to a user in a trusted domain, there may be a need to enumerate the users in the trusted domain. Because the trusted domain cannot authenticate the administrator in the trusting domain, an anonymous enumeration may be used. The benefits of restricting the capabilities of anonymous users from a security perspective should be weighed against the corresponding requirements of services and programs that rely on anonymous access for complete functionality.

The following tasks are restricted when the RestrictAnonymous registry value is set to 2 on a Windows 2000-based domain controller:
Down-level member workstations or servers are not able to set up a netlogon secure channel.
Down-level domain controllers in trusting domains are not be able to set up a netlogon secure channel.
Microsoft Windows NT users are not able to change their passwords after they expire. Also, Macintosh users are not able to change their passwords at all.
The Browser service is not able to retrieve domain lists or server lists from backup browsers, master browsers or domain master browsers that are running on computers with the RestrictAnonymous registry value set to 2. Because of this, any program that relies on the Browser service does not function properly.
Because of these results, it is not recommended that you set the RestrictAnonymous registry value to 2 in mixed-mode environments that include down-level clients. Setting the RestrictAnonymous registry value to 2 should only be considered in Windows 2000 environments only, and after sufficient quality assurance tests have verified that appropriate service levels and program functionality is maintained.

NOTE: Pre-defined "High Secure" security templates set the RestrictAnonymous registry value to 2, and because of this, caution should be used when using these templates.

For additional information about the RestrictAnonymous registry value, click the article number below to view the article in the Microsoft Knowledge Base:
178640 Could Not Find Domain Controller When Establishing a Trust

RestrictAnonymous is set by changing the registry key to 0 or 1 for Windows NT 4.0 or to 0, 1, or 2 for Windows 2000. These numbers correspond to the following settings:

0 None. Rely on default permissions

1 Do not allow enumeration of SAM accounts and names

2 No access without explicit anonymous permissions
0
 

Author Comment

by:uskor
ID: 12129789
Bnettles,
sorry for the delayed response, things as they do, got hectic for a while.

For the record, I set the reg value to 2 and so far for the past 2 nights, no anonymous logons.
I was, I admit, a little apprehensive as the only machine I had to test the reg hack was a production machine...... but all functional programs are working with the new setting in place.

I would like with your permission to give it 2 more days and if no anonymous connections have been made, award you the points.

thanks for all the info so far.
I will check back in the morning
RGDS,
USKOR.
0
 
LVL 12

Expert Comment

by:BNettles73
ID: 12133060
np ... take as long as you like.

Brian
0
 

Author Comment

by:uskor
ID: 12137829
Brian,
I changed the value to 2 for the following strings in the following key
restrictanonymous=2
restrictanonymoussam=2
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA

Rebooted for the changes to take effect and for the first day all was ok.
This morning on the other hand i saw Anonymous connections coming in from trusted domains again.

I'm Baffled,
Really would like an answer to this one and not have to file it away in the doesn't make sense drawer
Thanks so for the info so far
Reuben.
0
 
LVL 12

Expert Comment

by:BNettles73
ID: 12180800

Have you tried sniffing the packets to find out where they are being generated? I'm wondering if it isn't the behavior of some sort of software that is loaded on source or destination ... sorry for the slow response, I was traveling and not checking in much ...
0
 

Author Comment

by:uskor
ID: 12234341
Yes, I have been capturing traffic with ethereal,
I know the traffic is being generated by machines on trusted domains, I have not analyzed the traffic though. Trying to piece together a TCP stream is still a little beyony my skillset.

Opening the "doesn't make sense drawer" as I type.
USKOR
0
 
LVL 12

Expert Comment

by:BNettles73
ID: 12237391

Read through this link and see if we missed anything ....

http://www.microsoft.com/technet/Security/prodtech/win2000/secwin2k/06basewn.mspx (still applicable for 2k3)

Do you have IIS installed on that box? If you don't need it ... remove it ....
I would remove all unneeded applications one by one, including the unneeded windows stuff (games etc ..) and monitor connections after each app is removed ...

Make sure you document as you go =) ... I'll look around later today and try to find something ... have you been to the NSA's website ... sometimes you can find some decent security docs there ...

0
 
LVL 12

Expert Comment

by:BNettles73
ID: 12252676
Any luck?
0
 

Author Comment

by:uskor
ID: 12621331
Still nothing,
IIS is not installed and there are not any  non critical programms on the box.
I'm at a loss.
0
 
LVL 12

Accepted Solution

by:
BNettles73 earned 200 total points
ID: 12621770


Here are a few other links ... might provide some insight as to why you are experiencing the anon logons ... I'll be back off vacation in a week and can discuss more then =)

http://www.winnetmag.com/WindowsSecurity/Article/ArticleID/23067/23067.html
http://support.microsoft.com/kb/q143474/
http://www.windowsitlibrary.com/Content/121/04/5.html

If you have a tech republic membership - http://techrepublic.com.com/5100-6350-5287642.html

That being said -

If you are seeing logon type 3 is indicating a network logon for general file and print access. This is probably due to someone accessing a share or printer.

What resources are shared on the machine? Do you have Exchange or another application loaded up, that may be "talking" to other servers?

I'm pretty sure this link is posted above somewhere -
246261 How to Use the RestrictAnonymous Registry Value in Windows 2000 - http://kb/article.asp?id=Q246261 

From what I've read, Windows 2003 handles anonymous access a little differently in that it
disallows the anonymous functions themselves rather than general access, so to restrict anonymous access to the server you have to restrict the specific action you want to prevent (such as anonymous enumeration of shares and SAM).

0
 
LVL 1

Expert Comment

by:Barron1299
ID: 23377399
Okay so I have been trying to do the reverse of this and create anon logon so that no creditensions are need. I want this to happen so that any computer that plugs into the network has full control of a share but no matter what I do the share requires either username and password or to be on the domain.
0

Featured Post

Enroll in May's Course of the Month

May’s Course of the Month is now available! Experts Exchange’s Premium Members and Team Accounts have access to a complimentary course each month as part of their membership—an extra way to increase training and boost professional development.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I've always wanted to allow a user to have a printer no matter where they login. The steps below will show you how to achieve just that. In this Article I'll show how to deploy printers automatically with group policy and then using security fil…
A quick step-by-step overview of installing and configuring Carbonite Server Backup.
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an antispam), the admini…

732 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question