Restricting Anonymous Access to the Computer

Previous page
Table of content
Next page

As was previously mentioned, on Windows NT/2000/XP computers all access to resources is controlled by ACLs and SIDs. Each resource has an ACL containing SIDs of all users and groups who have been granted permissions to access that resource. When the users log on, either locally or over the network, they obtain access tokens containing the SIDs of their user account and of all security groups their accounts are members of. When the user tries to access a resource, Windows checks the SIDs in the access token to the ACL of the resource. If the SIDs match, access is granted, otherwise the user is denied access.

Restricting Anonymous Access in Windows 2000

Anonymous users or services that log on anonymously are automatically added to the Anonymous Logon built-in security group. In earlier versions of Windows NT, such users or services were able to access many resources (sometimes the ones access to which should be granted only to authenticated users). Windows 2000 introduced stricter security settings than the ones available in Windows NT 4.0. The Windows 2000 system may be configured in such a way as to prevent anonymous access to all resources, except for those who were explicitly assigned access. You can do this by using the Local Security Policy MMC snap-in or by editing the registry directly.

Using the Local Security Policy MMC Snap-In

  1. From the Start menu select Programs | Administrative Tools | Local Security Policy.

  2. Select Security Settings | Local Policies | Security Options.

  3. Go to the right pane of this window and double-click the Additional restrictions for anonymous connections option. In the window that opens next, set the No access without explicit anonymous permissions under Local policy setting option (Fig. 9.10).

    click to expand
    Fig. 9.10: Restricting anonymous access using Local security Policy MMC snap-in (Windows 2000)

Using the Registry Editor

Launch Regedt32.exe, find the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA registry key and create the REG_DWORD setting named RestrictAnonymous. Set its value to 0x2 (Hex).

If the RestrictAnonymous setting is set to this value, then the access token for users who haven't been authenticated isn't included into the Everyone group. The system will deny access to resources that are available for the Everyone group by default.

Notes 

  • Before restricting anonymous access to the system, Microsoft recommends that you analyze all the advantages provided by this setting (from a security point of view) in comparison to the possible problems that may be caused by the restriction of anonymous user rights. Some Windows 2000 services and legacy applications depend on the anonymous user. For example, if you have a mixed environment, where you also have Windows NT 4.0 Workstation and Server computers (and even Windows 95/98 systems), it's recommended that you don't set the RestrictAnonymous value to 0x2. If you only have Windows 2000 systems in your network, you can use this setting, but only after carefully testing all of the system services and application programs.

  • The standard security template High Secure includes this restriction. If you use this security template in a mixed environment, this may cause problems.

  • To be compatible with services that require anonymous access to certain domain data, Windows 2000 has provided a way to switch between high-security settings (the preferred configuration when backward compatibility is not required) to backward compatible security settings that grant anonymous users access as it is required by systems running Windows NT 4.0 and earlier versions of Windows. The Pre-Windows 2000 Compatible Access security group, that was introduced in Windows 2000, controls this security choice. Backward compatibility is achieved on computers that are running Windows 2000 by making the Everyone security group a member of the Pre-Windows 2000 Compatible Access security group. You are able to configure high-security settings by removing all members from the Pre-Windows 2000 Compatible Access group.

Windows XP Enhancements and Compatibility Issues

Windows XP has gone even further than Windows 2000. In contrast to previous versions of Windows, the access token for anonymous users no longer includes the Everyone security group. Therefore, the access token for anonymous users contains SIDs for:

  • Anonymous Logon

  • The logon type (usually Network)

When an anonymous user tries to access a resource on a computer that is running Windows XP, the anonymous user is not granted permissions or group memberships that are available to the Everyone security group. The SID for the Everyone security group is present in the anonymous user's access token. It should be noted that in most cases this restriction is desirable and appropriate. However, in some situations, for the sake of backward compatibility, you may need to include the Anonymous Logon security group into the Everyone group. For this very purpose Windows XP introduces a new registry value, EveryonelncludesAnonymous, which can be set using the methods described below.

Using Local Security Policy

To enable anonymous access via MMC, proceed as follows:

  1. Start the Administrative Tools applet in Control Panel, and then select either Local Security Policy or Domain Security Policy (on domain controllers only)

  2. Expand the Security Settings tree, select Local Policies, and then click Security Options.

  3. Double-click Network access: Let Everyone permissions apply to anonymous users. By default, this policy setting is disabled (Fig. 9.11)

    click to expand
    Fig. 9.11: Setting EveryonelncludesAnonymous registry value via Local Security Policy

  4. To enable anonymous users to be members of the Everyone security group, click Enabled. To prevent the inclusion of the Everyone security group SID in the anonymous user's access token (the Windows XP default), click Disabled.

Using Registry Editor

To set the EveryonelncludesAnonymous registry value by using Registry Editor:

  1. Start Regedit.exe and locate the following registry key (Fig. 9.12):

     HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa

    click to expand
    Fig. 9.12: The contents of the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa registry key

  2. Right-click EveryonelncludesAnonymous, and then click Modify.

  3. To enable anonymous users to be members of the Everyone security group, in the Value data box, type 1. To prevent the inclusion of the Everyone security group SID in the anonymous user's access token (the Windows XP default), in the Value data box, type 0.

  4. Quit Registry Editor.


Previous page
Table of content
Next page
Windows XP Registry
Linux Enterprise Cluster: Build a Highly Available Cluster with Commodity Hardware and Free Software
ISBN: N/A
EAN: 2147483647
Year: 2000
Pages: 144
Authors: Karl Kopper
BUY ON AMAZON
Metrics and Models in Software Quality Engineering (2nd Edition)
Secure Programming Cookbook for C and C++: Recipes for Cryptography, Authentication, Input Validation & More
Java for RPG Programmers, 2nd Edition
Pocket Guide to the National Electrical Code(R), 2005 Edition (8th Edition)
Microsoft VBScript Professional Projects
FileMaker 8 Functions and Scripts Desk Reference
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy