Solved

Restrct Anonymous Logon

Posted on 2004-09-11
19
982 Views
Last Modified: 2009-01-14
I have a 2003 box that I noticed in event viewer was allowing Anonymous connections Event id 538 and 540.
I don't like anonymous logons and there is no reason that users should need to access this particular server anonymously.


Researching this I found the following settings in GP were supposed to prevent Anonymous connections.

Local computer policy
comp config/windows settings/security settings/local policies/security options

allow anonymous sid/name translation = dissabled
do not allow anonymous enumeration of sam accounts = enabled
do not allow anonymous enumeration of sam accounts and shares = enabled
let everyone permissions apply to anonymous users = dissabled
restrict anonymous access to named pipes and shares = enabled
shares that can be accessed anonymously = blank  


Anonymous logons are still happening, even worse it is happening from computers outside of my Domain.
My main goal is to prevent all anonymous access to this machine.

I'm sure that I am not alone in my concern with anonymous logons or this particular problem.

Any help you can provide will be appreciated.
Rgds,
USKOR
0
Comment
Question by:uskor
19 Comments
 
LVL 12

Expert Comment

by:BNettles73
Comment Utility


What functions and roles does this server provide?
Is this server internet accessible? WWW, Email, OWA, etc?
Is this server a DC/GC?

Have you read through this article?

Securing a Windows 2003 Server
http://www.microsoft.com/technet/security/guidance/secmod119.mspx

Have you considered sniffing the traffic?

I know you could restrict anonymous access over the network, in older versions of NT by using modifying the registry ...

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA and change the RestrictAnonymous value to 1

may want to verify and/or test it on a non production box ...
0
 

Expert Comment

by:itsphantom
Comment Utility
If it is coming from outside of your network I would start by doing a penetration test from outside my network. I assume this server is in a DMZ or a SCREENED SUBNET? If so what kind of firewalls is the server behind?
0
 

Author Comment

by:uskor
Comment Utility
The server is not on a DMZ, we are part of a multipe master domain model with trusts etc which is part of the reason that the connections are coming from users on other domains.
The server is not directly accessible from the web and sits behind well maintained firewalls.
I reviewed the article that you sent BNettles And I think that I found what I am looking for in it. I will test tonight and see if it works.
If it does I will award the points to you.

Thanks all
USKOR
0
 

Author Comment

by:uskor
Comment Utility
Still no Joy,

I added the group to deny access this computer from a network option in Group policy for the local machine.

I'm Looking for an easy answer here not an indepth security analysis.

Again all I want to be able to do is prevent anonymous logon on this one particular machine.
0
 
LVL 12

Expert Comment

by:BNettles73
Comment Utility

Check out this article ...
How to Use the RestrictAnonymous Registry Value in Windows 2000 (for 2K but relevant for 2K3)
http://support.microsoft.com/default.aspx?scid=kb;EN-US;246261
0
 

Author Comment

by:uskor
Comment Utility
This does not apply to Server 2003.
there is no "Additional restrictions for anonymous connections" object.

any other ideas?
0
 
LVL 12

Expert Comment

by:BNettles73
Comment Utility
You tried this and it didn't work?

RestrictAnonymous Registry Value
Use Registry Editor to view the following registry key, and then add the following value to this key, or modify it if the value already exists:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA

Value: RestrictAnonymous
Value Type: REG_DWORD
Value Data: 0x2 (Hex)

Restart the computer after any change to the RestrictAnonymous key in the registry.

When the RestrictAnonymous registry value is set to 2, the access token built for non-authenticated users does not include the Everyone group, and because of this, the access token no longer has access to those resources which grant permissions to the Everyone group. This could cause undesired behavior because many Windows 2000 services, as well as third-party programs, rely on anonymous access capabilities to perform legitimate tasks.

For example, when an administrator in a trusting domain wants to grant local access to a user in a trusted domain, there may be a need to enumerate the users in the trusted domain. Because the trusted domain cannot authenticate the administrator in the trusting domain, an anonymous enumeration may be used. The benefits of restricting the capabilities of anonymous users from a security perspective should be weighed against the corresponding requirements of services and programs that rely on anonymous access for complete functionality.

The following tasks are restricted when the RestrictAnonymous registry value is set to 2 on a Windows 2000-based domain controller:
Down-level member workstations or servers are not able to set up a netlogon secure channel.
Down-level domain controllers in trusting domains are not be able to set up a netlogon secure channel.
Microsoft Windows NT users are not able to change their passwords after they expire. Also, Macintosh users are not able to change their passwords at all.
The Browser service is not able to retrieve domain lists or server lists from backup browsers, master browsers or domain master browsers that are running on computers with the RestrictAnonymous registry value set to 2. Because of this, any program that relies on the Browser service does not function properly.
Because of these results, it is not recommended that you set the RestrictAnonymous registry value to 2 in mixed-mode environments that include down-level clients. Setting the RestrictAnonymous registry value to 2 should only be considered in Windows 2000 environments only, and after sufficient quality assurance tests have verified that appropriate service levels and program functionality is maintained.

NOTE: Pre-defined "High Secure" security templates set the RestrictAnonymous registry value to 2, and because of this, caution should be used when using these templates.

For additional information about the RestrictAnonymous registry value, click the article number below to view the article in the Microsoft Knowledge Base:
178640 Could Not Find Domain Controller When Establishing a Trust

RestrictAnonymous is set by changing the registry key to 0 or 1 for Windows NT 4.0 or to 0, 1, or 2 for Windows 2000. These numbers correspond to the following settings:

0 None. Rely on default permissions

1 Do not allow enumeration of SAM accounts and names

2 No access without explicit anonymous permissions
0
 

Author Comment

by:uskor
Comment Utility
Bnettles,
sorry for the delayed response, things as they do, got hectic for a while.

For the record, I set the reg value to 2 and so far for the past 2 nights, no anonymous logons.
I was, I admit, a little apprehensive as the only machine I had to test the reg hack was a production machine...... but all functional programs are working with the new setting in place.

I would like with your permission to give it 2 more days and if no anonymous connections have been made, award you the points.

thanks for all the info so far.
I will check back in the morning
RGDS,
USKOR.
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 12

Expert Comment

by:BNettles73
Comment Utility
np ... take as long as you like.

Brian
0
 

Author Comment

by:uskor
Comment Utility
Brian,
I changed the value to 2 for the following strings in the following key
restrictanonymous=2
restrictanonymoussam=2
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA

Rebooted for the changes to take effect and for the first day all was ok.
This morning on the other hand i saw Anonymous connections coming in from trusted domains again.

I'm Baffled,
Really would like an answer to this one and not have to file it away in the doesn't make sense drawer
Thanks so for the info so far
Reuben.
0
 
LVL 12

Expert Comment

by:BNettles73
Comment Utility

Have you tried sniffing the packets to find out where they are being generated? I'm wondering if it isn't the behavior of some sort of software that is loaded on source or destination ... sorry for the slow response, I was traveling and not checking in much ...
0
 

Author Comment

by:uskor
Comment Utility
Yes, I have been capturing traffic with ethereal,
I know the traffic is being generated by machines on trusted domains, I have not analyzed the traffic though. Trying to piece together a TCP stream is still a little beyony my skillset.

Opening the "doesn't make sense drawer" as I type.
USKOR
0
 
LVL 12

Expert Comment

by:BNettles73
Comment Utility

Read through this link and see if we missed anything ....

http://www.microsoft.com/technet/Security/prodtech/win2000/secwin2k/06basewn.mspx (still applicable for 2k3)

Do you have IIS installed on that box? If you don't need it ... remove it ....
I would remove all unneeded applications one by one, including the unneeded windows stuff (games etc ..) and monitor connections after each app is removed ...

Make sure you document as you go =) ... I'll look around later today and try to find something ... have you been to the NSA's website ... sometimes you can find some decent security docs there ...

0
 
LVL 12

Expert Comment

by:BNettles73
Comment Utility
Any luck?
0
 

Author Comment

by:uskor
Comment Utility
Still nothing,
IIS is not installed and there are not any  non critical programms on the box.
I'm at a loss.
0
 
LVL 12

Accepted Solution

by:
BNettles73 earned 200 total points
Comment Utility


Here are a few other links ... might provide some insight as to why you are experiencing the anon logons ... I'll be back off vacation in a week and can discuss more then =)

http://www.winnetmag.com/WindowsSecurity/Article/ArticleID/23067/23067.html
http://support.microsoft.com/kb/q143474/
http://www.windowsitlibrary.com/Content/121/04/5.html

If you have a tech republic membership - http://techrepublic.com.com/5100-6350-5287642.html

That being said -

If you are seeing logon type 3 is indicating a network logon for general file and print access. This is probably due to someone accessing a share or printer.

What resources are shared on the machine? Do you have Exchange or another application loaded up, that may be "talking" to other servers?

I'm pretty sure this link is posted above somewhere -
246261 How to Use the RestrictAnonymous Registry Value in Windows 2000 - http://kb/article.asp?id=Q246261

From what I've read, Windows 2003 handles anonymous access a little differently in that it
disallows the anonymous functions themselves rather than general access, so to restrict anonymous access to the server you have to restrict the specific action you want to prevent (such as anonymous enumeration of shares and SAM).

0
 
LVL 1

Expert Comment

by:Barron1299
Comment Utility
Okay so I have been trying to do the reverse of this and create anon logon so that no creditensions are need. I want this to happen so that any computer that plugs into the network has full control of a share but no matter what I do the share requires either username and password or to be on the domain.
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

I have never ceased to be amazed how many problems you can encounter on a fresh install of a Windows operating system.  This is certainly case in point& Unable to complete ANY MSI installation.  This means Windows Updates are failing and I can't …
Learn about cloud computing and its benefits for small business owners.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now