4.7 Anonymous access | Windows Server 2003 Security Infrastructures: Core Security Features (HP Technologies)

In Windows Server 2003, Microsoft included several new features to restrict what can be done to a Windows Server 2003 system and its resources using anonymous access. Anonymous access was introduced in the Windows OS to allow users who are lacking Windows credentials to access Windows-hosted resources. Microsoft, however, opened too many gates for anonymous users—giving way to many (in)famous security exploits.

A key security enhancement is that the Anonymous group is no longer a member of the Everyone group. In Windows, anyone who tries to access a resource without providing credentials is by default part of the Anonymous group. This behavior can easily be reversed by setting the following GPO setting: “Network access: Let Everyone permissions apply to anonymous users.” It is located in the Computer Configuration\Windows Settings\ Security Settings\Local Policies\Security Options GPO container. This brand new GPO setting corresponds to the following registry key:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA\everyoneincludesanonymous

Microsoft also included other new anonymous access–related security options in the GPO settings. They are listed in Table 4.6 and are also located in the Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options GPO container. The sidenote below explains how to set up auditing for anonymous access-based AD data enumeration.

Table 4.6: Anonymous Access–Related Security Options in the GPO Settings
GPO Setting	Meaning
Network Access: Allow anonymous SID/Name translation	Determines if an anonymous user can request SID attributes for another user, for example, retrieve the administrator account name given the administrator SID (which always ends in 500).
Network Access: Do not allow anonymous enumeration of SAM accounts	Determines whether anonymous users are allowed to perform certain activities, such as enumerating the names of domain accounts.
Network Access: Do not allow anonymous enumeration of SAM accounts and shares	Determines whether anonymous users are allowed to perform certain activities, such as enumerating the names of domain accounts and network shares.
Network Access: Restrict anonymous access to Named Pipes and Shares	Determines whether anonymous access will be allowed to named pipes and shares.
Network Access: Shares that can be accessed anonymously	Determines which network shares can be accessed by anonymous users.
Network Access: Named Pipes that can be accessed anonymously	Determines which named pipes can be accessed by anonymous users.

Enabling auditing for anonymous access AD data enumeration To enable auditing for anonymous access AD data enumeration, do the following:

Log on to a domain controller of the forest root domain using an account with Domain Admins credentials.

Open the ADSI Edit MMC snap-in.

Connect to Domain naming context of the forest root domain.

Open the properties of the CN=Server,CN=System,Dc=<FQDN> AD object.

In the Security tab, click Advanced.

On the Auditing tab, set the following auditing settings:

“Success” “Anonymous Logon” “Read All Properties” “This object only”

“Success” “Anonymous Logon” “Enumerate Entire SAM Domain” “This object only”