|
|
As was previously mentioned, on Windows NT/2000/XP computers all access to resources is controlled by ACLs and SIDs. Each resource has an ACL containing SIDs of all users and groups who have been granted permissions to access that resource. When the users log on, either locally or over the network, they obtain access tokens containing the SIDs of their user account and of all security groups their accounts are members of. When the user tries to access a resource, Windows checks the SIDs in the access token to the ACL of the resource. If the SIDs match, access is granted, otherwise the user is denied access.
Anonymous users or services that log on anonymously are automatically added to the Anonymous Logon built-in security group. In earlier versions of Windows NT, such users or services were able to access many resources (sometimes the ones access to which should be granted only to authenticated users). Windows 2000 introduced stricter security settings than the ones available in Windows NT 4.0. The Windows 2000 system may be configured in such a way as to prevent anonymous access to all resources, except for those who were explicitly assigned access. You can do this by using the Local Security Policy MMC snap-in or by editing the registry directly.
From the Start menu select Programs | Administrative Tools | Local Security Policy.
Select Security Settings | Local Policies | Security Options.
Go to the right pane of this window and double-click the Additional restrictions for anonymous connections option. In the window that opens next, set the No access without explicit anonymous permissions under Local policy setting option (Fig. 9.10).
Fig. 9.10: Restricting anonymous access using Local security Policy MMC snap-in (Windows 2000)
Launch Regedt32.exe, find the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA registry key and create the REG_DWORD setting named RestrictAnonymous. Set its value to 0x2 (Hex).
If the RestrictAnonymous setting is set to this value, then the access token for users who haven't been authenticated isn't included into the Everyone group. The system will deny access to resources that are available for the Everyone group by default.
Notes |
|
Windows XP has gone even further than Windows 2000. In contrast to previous versions of Windows, the access token for anonymous users no longer includes the Everyone security group. Therefore, the access token for anonymous users contains SIDs for:
Anonymous Logon
The logon type (usually Network)
When an anonymous user tries to access a resource on a computer that is running Windows XP, the anonymous user is not granted permissions or group memberships that are available to the Everyone security group. The SID for the Everyone security group is present in the anonymous user's access token. It should be noted that in most cases this restriction is desirable and appropriate. However, in some situations, for the sake of backward compatibility, you may need to include the Anonymous Logon security group into the Everyone group. For this very purpose Windows XP introduces a new registry value, EveryonelncludesAnonymous, which can be set using the methods described below.
To enable anonymous access via MMC, proceed as follows:
Start the Administrative Tools applet in Control Panel, and then select either Local Security Policy or Domain Security Policy (on domain controllers only)
Expand the Security Settings tree, select Local Policies, and then click Security Options.
Double-click Network access: Let Everyone permissions apply to anonymous users. By default, this policy setting is disabled (Fig. 9.11)
Fig. 9.11: Setting EveryonelncludesAnonymous registry value via Local Security Policy
To enable anonymous users to be members of the Everyone security group, click Enabled. To prevent the inclusion of the Everyone security group SID in the anonymous user's access token (the Windows XP default), click Disabled.
To set the EveryonelncludesAnonymous registry value by using Registry Editor:
Start Regedit.exe and locate the following registry key (Fig. 9.12):
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
Fig. 9.12: The contents of the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa registry key
Right-click EveryonelncludesAnonymous, and then click Modify.
To enable anonymous users to be members of the Everyone security group, in the Value data box, type 1. To prevent the inclusion of the Everyone security group SID in the anonymous user's access token (the Windows XP default), in the Value data box, type 0.
Quit Registry Editor.
|
|