Maybe a bug? Restrict anonymous.

Hi to you all.

I am experiencing one thing particular and that is when I change the "Lsa" -
"Restrict Anonymous" setting in the registry to value "2" the MS AntiSpyware
is alerting me that I am vulnerable and is in fact allowing Anonymous
logon's. From what I have learned I am indeed making it even harder to log
on to my PC when having the value "2" so this then might be a bug if I am
not totally wrong.

Just some info to MS and maybe someone can verify that the value "2" is to
hardening the computer!?

Thanks and cheers,

Gunilla.

Maybe I should have told you that I have XP Pro SP2. :-))

"Gunilla" <removekakaomumsathotmaildotcom> skrev i meddelandet
news:%23H8Yf18%23EHA.484@CPMSFTNGSA04.privatenews.microsoft.com...
> Hi to you all.
>
> I am experiencing one thing particular and that is when I change the
> "Lsa" - "Restrict Anonymous" setting in the registry to value "2" the MS
> AntiSpyware is alerting me that I am vulnerable and is in fact allowing
> Anonymous logon's. From what I have learned I am indeed making it even
> harder to log on to my PC when having the value "2" so this then might be
> a bug if I am not totally wrong.
>
> Just some info to MS and maybe someone can verify that the value "2" is to
> hardening the computer!?
>
> Thanks and cheers,
>
> Gunilla.

I have seen a very confusing message--probably the one you are describing,
on two XP Pro machines.

Each of these machines was an XP Pro upgrade over Windows 2000 Pro.

I'm reasonably sure that the RestrictAnonymous setting on these machines was
1 when they were running Windows 2000, because they are on a network which
includes Macs and 9.x machines.

I didn't see the message on several other machines which were also upgrades
over Windows 2000, however.

RestrictAnonymous in XP is different than it is in Windows 2000, and I need
to look up the precise meanings of the values--but yes, 2 should be more
secure than 1!


"Gunilla" <removekakaomumsathotmaildotcom> wrote in message
news:%23H8Yf18%23EHA.484@CPMSFTNGSA04.privatenews.microsoft.com...
> Hi to you all.
>
> I am experiencing one thing particular and that is when I change the
> "Lsa" - "Restrict Anonymous" setting in the registry to value "2" the MS
> AntiSpyware is alerting me that I am vulnerable and is in fact allowing
> Anonymous logon's. From what I have learned I am indeed making it even
> harder to log on to my PC when having the value "2" so this then might be
> a bug if I am not totally wrong.
>
> Just some info to MS and maybe someone can verify that the value "2" is to
> hardening the computer!?
>
> Thanks and cheers,
>
> Gunilla.

Thanks Bill for responding. :-))

Yeah, I am certain too that the value 2 is more secure. My XP Pro is not
upgraded, it is a clean install, if that matters?

I know, from what I remember reading, that the value 1 is by default and
wonder if maybe the MS AntiSpyware scanner is set to feel the default
settings on each OS it is installed on, so that could be the reson and if in
fact that is the case this would be necessary to be adjusted in the final
version. Anyway, not any big deal maybe but it would be a desireable
feature.


Kind regards.....Gunilla.


"Bill Sanderson" <Bill_Sanderson@msn.com.plugh.org> skrev i meddelandet
news:u9CEu2A$EHA.1560@CPMSFTNGSA04.privatenews.microsoft.com...
>I have seen a very confusing message--probably the one you are describing,
>on two XP Pro machines.
>
> Each of these machines was an XP Pro upgrade over Windows 2000 Pro.
>
> I'm reasonably sure that the RestrictAnonymous setting on these machines
> was 1 when they were running Windows 2000, because they are on a network
> which includes Macs and 9.x machines.
>
> I didn't see the message on several other machines which were also
> upgrades over Windows 2000, however.
>
> RestrictAnonymous in XP is different than it is in Windows 2000, and I
> need to look up the precise meanings of the values--but yes, 2 should be
> more secure than 1!
>
>
> "Gunilla" <removekakaomumsathotmaildotcom> wrote in message
> news:%23H8Yf18%23EHA.484@CPMSFTNGSA04.privatenews.microsoft.com...
>> Hi to you all.
>>
>> I am experiencing one thing particular and that is when I change the
>> "Lsa" - "Restrict Anonymous" setting in the registry to value "2" the MS
>> AntiSpyware is alerting me that I am vulnerable and is in fact allowing
>> Anonymous logon's. From what I have learned I am indeed making it even
>> harder to log on to my PC when having the value "2" so this then might be
>> a bug if I am not totally wrong.
>>
>> Just some info to MS and maybe someone can verify that the value "2" is
>> to hardening the computer!?
>>
>> Thanks and cheers,
>>
>> Gunilla.
>
>

OK - I've got my references in hand--actually--it takes two hands--the XP
Professional Resource kit is 1600+ pages, and the Windows Security resource
kit is almost 700.

I believe both of them are available online, but I don't have the urls
handy.

And, having looked, I can't at the moment find this in the XP Pro RK (second
edition.) I did find it in the Windows Security Resource kit, and it bears
out what we are both thinking, but doesn't go into detail about the ways in
which XP is different in this area. I think the help for this item in the
Microsoft Baseline Security Analyzer does say something about that, but I
don't have that installed at the moment.

"Gunilla" <removekakaomumsathotmaildotcom> wrote in message
news:uwlVIsC$EHA.1560@CPMSFTNGSA04.privatenews.microsoft.com...
> Thanks Bill for responding. :-))
>
> Yeah, I am certain too that the value 2 is more secure. My XP Pro is not
> upgraded, it is a clean install, if that matters?
>
> I know, from what I remember reading, that the value 1 is by default and
> wonder if maybe the MS AntiSpyware scanner is set to feel the default
> settings on each OS it is installed on, so that could be the reson and if
> in fact that is the case this would be necessary to be adjusted in the
> final version. Anyway, not any big deal maybe but it would be a desireable
> feature.
>
>
> Kind regards.....Gunilla.
>
>
> "Bill Sanderson" <Bill_Sanderson@msn.com.plugh.org> skrev i meddelandet
> news:u9CEu2A$EHA.1560@CPMSFTNGSA04.privatenews.microsoft.com...
>>I have seen a very confusing message--probably the one you are describing,
>>on two XP Pro machines.
>>
>> Each of these machines was an XP Pro upgrade over Windows 2000 Pro.
>>
>> I'm reasonably sure that the RestrictAnonymous setting on these machines
>> was 1 when they were running Windows 2000, because they are on a network
>> which includes Macs and 9.x machines.
>>
>> I didn't see the message on several other machines which were also
>> upgrades over Windows 2000, however.
>>
>> RestrictAnonymous in XP is different than it is in Windows 2000, and I
>> need to look up the precise meanings of the values--but yes, 2 should be
>> more secure than 1!
>>
>>
>> "Gunilla" <removekakaomumsathotmaildotcom> wrote in message
>> news:%23H8Yf18%23EHA.484@CPMSFTNGSA04.privatenews.microsoft.com...
>>> Hi to you all.
>>>
>>> I am experiencing one thing particular and that is when I change the
>>> "Lsa" - "Restrict Anonymous" setting in the registry to value "2" the MS
>>> AntiSpyware is alerting me that I am vulnerable and is in fact allowing
>>> Anonymous logon's. From what I have learned I am indeed making it even
>>> harder to log on to my PC when having the value "2" so this then might
>>> be a bug if I am not totally wrong.
>>>
>>> Just some info to MS and maybe someone can verify that the value "2" is
>>> to hardening the computer!?
>>>
>>> Thanks and cheers,
>>>
>>> Gunilla.
>>
>>
>

Wow, so many pages! I am right now reading on Microsoft this site here
below but I know I have seen it somewhere else to better described but
finding something on Microsoft's webpages via the search is like searching
for a needle in a hay-stack. I can't however run MBSA as I have disabled
much services that is needed to run it.

To be continued I guess because along the way we will probably discover more
bugs. It's a challange to be testing a beta but it's nice too. :-))

http://www.microsoft.com/resources/...actok_tools.asp


"Bill Sanderson" <Bill_Sanderson@msn.com.plugh.org> skrev i meddelandet
news:OMWvNDD$EHA.1596@cpmsftngsa05.privatenews.microsoft.com...
> OK - I've got my references in hand--actually--it takes two hands--the XP
> Professional Resource kit is 1600+ pages, and the Windows Security
> resource kit is almost 700.
>
> I believe both of them are available online, but I don't have the urls
> handy.
>
> And, having looked, I can't at the moment find this in the XP Pro RK
> (second edition.) I did find it in the Windows Security Resource kit, and
> it bears out what we are both thinking, but doesn't go into detail about
> the ways in which XP is different in this area. I think the help for this
> item in the Microsoft Baseline Security Analyzer does say something about
> that, but I don't have that installed at the moment.
>
> "Gunilla" <removekakaomumsathotmaildotcom> wrote in message
> news:uwlVIsC$EHA.1560@CPMSFTNGSA04.privatenews.microsoft.com...
>> Thanks Bill for responding. :-))
>>
>> Yeah, I am certain too that the value 2 is more secure. My XP Pro is not
>> upgraded, it is a clean install, if that matters?
>>
>> I know, from what I remember reading, that the value 1 is by default and
>> wonder if maybe the MS AntiSpyware scanner is set to feel the default
>> settings on each OS it is installed on, so that could be the reson and if
>> in fact that is the case this would be necessary to be adjusted in the
>> final version. Anyway, not any big deal maybe but it would be a
>> desireable feature.
>>
>>
>> Kind regards.....Gunilla.
>>
>>
>> "Bill Sanderson" <Bill_Sanderson@msn.com.plugh.org> skrev i meddelandet
>> news:u9CEu2A$EHA.1560@CPMSFTNGSA04.privatenews.microsoft.com...
>>>I have seen a very confusing message--probably the one you are
>>>describing, on two XP Pro machines.
>>>
>>> Each of these machines was an XP Pro upgrade over Windows 2000 Pro.
>>>
>>> I'm reasonably sure that the RestrictAnonymous setting on these machines
>>> was 1 when they were running Windows 2000, because they are on a network
>>> which includes Macs and 9.x machines.
>>>
>>> I didn't see the message on several other machines which were also
>>> upgrades over Windows 2000, however.
>>>
>>> RestrictAnonymous in XP is different than it is in Windows 2000, and I
>>> need to look up the precise meanings of the values--but yes, 2 should be
>>> more secure than 1!
>>>
>>>
>>> "Gunilla" <removekakaomumsathotmaildotcom> wrote in message
>>> news:%23H8Yf18%23EHA.484@CPMSFTNGSA04.privatenews.microsoft.com...
>>
>
>

"Gunilla" <removekakaomumsathotmaildotcom> wrote in message news:uUkvLiD$EHA.484@CPMSFTNGSA04.privatenews.microsoft.com...
> http://www.microsoft.com/resources/...actok_tools.asp
>

This bears out my recollection that 2 isn't needed for XP--but let me see if I can get a better reference.

Here's the full text of the MBSA information for this setting:
--------------------------------------------
Restrict Anonymous Users
Issue
The RestrictAnonymous registry setting controls the level of enumeration granted to an anonymous user. If RestrictAnonymous is set to 0 (the default setting), any user can obtain system information, including: user names and details, account policies, and share names. Anonymous users can use this information in an attack on your system. The list of user names and share names could help potential attackers identify who is an administrator, which computers have weak account protection, and which computers share information with the network.

Solution
To restrict anonymous connections from accessing this system information, change the RestrictAnonymous security settings. You can do this through the Security Configuration Manager snap-in (the setting is defined in the Local Policies portion of the default security templates) or through a registry editor. You can change the registry setting from 0 to 1 in Microsoft® Windows NT® 4.0, or from 0 to 1 or 2 in Windows® 2000:

0 - None. Rely on default permissions.

1 - Do not allow enumeration of Security Accounts Manager (SAM) accounts and names.

2 - No access without explicit anonymous permissions (not available on Windows NT 4.0).

Caution

a.. Before you set this value to 2, see article 246261, "How to Use the RestrictAnonymous Registry Value in Windows 2000." We recommend that you do not set this value to 2 on domain controllers or computers running Small Business Server (SBS) in Mixed-Mode environments (for example, networks with downlevel clients). In addition, client machines with RestrictAnonymous set to 2 should not take on the role of master browser. For more details on configuring RestrictAnonymous on domain controllers and in Windows 2000 environments, and to better understand potential compatibility issues when using this setting, refer to the Microsoft Knowledge Base articles that are listed later in this document.
Note

a.. In Windows XP, there is a new EveryoneIncludesAnonymous registry setting that controls whether permissions given to the built-in Everyone group apply to anonymous users. By default, permissions granted to the Everyone group do not apply to anonymous users in Windows XP. This provides the same level of anonymous user restrictions as the RestrictAnonymous setting in previous Windows operating systems. The EveryoneIncludesAnonymous setting can be configured through the Security Configuration Manager snap-in (the setting is defined in the Local Policies portion of the security template) on Windows XP Professional systems or through a registry editor. This setting is located within the same registry key as RestrictAnonymous. For registry path information, see the following Knowledge Base articles.
--------------------------------------------------------------------------------------

XP by default is safer than 2000 or NT.

You notice there is no mention of using the 2 setting for XP.
----------------------------------------------------------------------------------------
Here's some information from the group policy section of the XP resource kit--no hits on restrictanonymous, but here are the additional and changed settings that make it safer than Windows 2000 in this area:
-------------------------------------------------------------
a.. Allow anonymous SID/Name translation. Makes it possible for anonymous users to translate SIDs into user names and user names into SIDs. This policy is disabled by default.

a.. Do not allow anonymous enumeration of SAM accounts. Prevents anonymous users from generating a list of accounts in the SAM database. This policy is enabled by default.

a.. Do not allow anonymous enumeration of SAM accounts and shares. Prevents anonymous users from generating a list of accounts and shares in the SAM database. This policy is disabled by default.

a.. Do not allow Stored User Names and Passwords to save passports or credentials for domain authentication. Prevents Stored User Names and Passwords from saving passport or domain authentication credentials after a logon session has ended. This policy is disabled by default.

a.. Sharing and security model for local accounts. Allows you to choose between the Guest only security model or the Classic security model. In the Guest only model, all attempts to log on to the local computer from across the network will be forced to use the Guest account. In the Classic security model, users who attempt to log on to the local computer from across the network authenticate as themselves. This policy does not apply to computers that are joined to a domain. Otherwise, Guest only is enabled by default.

a.. Let Everyone permissions apply to Anonymous users. Restores Everyone permissions to users logging on anonymously. In Windows 2000, Anonymous logons received Everyone permissions by default. This default behavior was removed in Windows XP Professional.

---------------------------------------------------

Hi Bill.

Thanks for digging! :-)) It is a very interesting reading and now I have
more insight to its meaning. I saw that the value 2 is just to be used in a
"pure" Win2000 environments so I see now because of what you have so kindly
found out that XP Pro is safer by default.

This is really something I have tried to find out for month after having
several anonymous logon's from usernames I never heard about and thanks to
MS AntiSpy's message and my posting about it I have no been taught about how
to handle this because so much other things about to harden my PC have I
learned along the way. I have one thing though that I must ask...if I enable
the "Do not allow anonymous enumeration of SAM accounts and shares" then it
should be the right thing to do if I want to harden my PC even more? or am I
getting it wrong? Thanks very much.

Gunilla.


"Bill Sanderson" <Bill_Sanderson@msn.com.plugh.org> skrev i meddelandet
news:%23tSaoJF$EHA.1932@cpmsftngsa05.privatenews.microsoft.com...
"Gunilla" <removekakaomumsathotmaildotcom> wrote in message
news:uUkvLiD$EHA.484@CPMSFTNGSA04.privatenews.microsoft.com...
> http://www.microsoft.com/resources/...actok_tools.asp
>

This bears out my recollection that 2 isn't needed for XP--but let me see if
I can get a better reference.

Here's the full text of the MBSA information for this setting:
--------------------------------------------
Restrict Anonymous Users
Issue
The RestrictAnonymous registry setting controls the level of enumeration
granted to an anonymous user. If RestrictAnonymous is set to 0 (the default
setting), any user can obtain system information, including: user names and
details, account policies, and share names. Anonymous users can use this
information in an attack on your system. The list of user names and share
names could help potential attackers identify who is an administrator, which
computers have weak account protection, and which computers share
information with the network.
Solution
To restrict anonymous connections from accessing this system information,
change the RestrictAnonymous security settings. You can do this through the
Security Configuration Manager snap-in (the setting is defined in the Local
Policies portion of the default security templates) or through a registry
editor. You can change the registry setting from 0 to 1 in Microsoft®
Windows NT® 4.0, or from 0 to 1 or 2 in Windows® 2000:
0 - None. Rely on default permissions.
1 - Do not allow enumeration of Security Accounts Manager (SAM) accounts and
names.
2 - No access without explicit anonymous permissions (not available on
Windows NT 4.0).
Caution
Before you set this value to 2, see article 246261, "How to Use the
RestrictAnonymous Registry Value in Windows 2000." We recommend that you do
not set this value to 2 on domain controllers or computers running Small
Business Server (SBS) in Mixed-Mode environments (for example, networks with
downlevel clients). In addition, client machines with RestrictAnonymous set
to 2 should not take on the role of master browser. For more details on
configuring RestrictAnonymous on domain controllers and in Windows 2000
environments, and to better understand potential compatibility issues when
using this setting, refer to the Microsoft Knowledge Base articles that are
listed later in this document.
Note
In Windows XP, there is a new EveryoneIncludesAnonymous registry setting
that controls whether permissions given to the built-in Everyone group apply
to anonymous users. By default, permissions granted to the Everyone group do
not apply to anonymous users in Windows XP. This provides the same level of
anonymous user restrictions as the RestrictAnonymous setting in previous
Windows operating systems. The EveryoneIncludesAnonymous setting can be
configured through the Security Configuration Manager snap-in (the setting
is defined in the Local Policies portion of the security template) on
Windows XP Professional systems or through a registry editor. This setting
is located within the same registry key as RestrictAnonymous. For registry
path information, see the following Knowledge Base articles.
--------------------------------------------------------------------------------------

XP by default is safer than 2000 or NT.

You notice there is no mention of using the 2 setting for XP.
----------------------------------------------------------------------------------------
Here's some information from the group policy section of the XP resource
kit--no hits on restrictanonymous, but here are the additional and changed
settings that make it safer than Windows 2000 in this area:
-------------------------------------------------------------
Allow anonymous SID/Name translation. Makes it possible for anonymous users
to translate SIDs into user names and user names into SIDs. This policy is
disabled by default.
Do not allow anonymous enumeration of SAM accounts. Prevents anonymous users
from generating a list of accounts in the SAM database. This policy is
enabled by default.
Do not allow anonymous enumeration of SAM accounts and shares. Prevents
anonymous users from generating a list of accounts and shares in the SAM
database. This policy is disabled by default.
Do not allow Stored User Names and Passwords to save passports or
credentials for domain authentication. Prevents Stored User Names and
Passwords from saving passport or domain authentication credentials after a
logon session has ended. This policy is disabled by default.
Sharing and security model for local accounts. Allows you to choose between
the Guest only security model or the Classic security model. In the Guest
only model, all attempts to log on to the local computer from across the
network will be forced to use the Guest account. In the Classic security
model, users who attempt to log on to the local computer from across the
network authenticate as themselves. This policy does not apply to computers
that are joined to a domain. Otherwise, Guest only is enabled by default.
Let Everyone permissions apply to Anonymous users. Restores Everyone
permissions to users logging on anonymously. In Windows 2000, Anonymous
logons received Everyone permissions by default. This default behavior was
removed in Windows XP Professional.
---------------------------------------------------

"Gunilla" <removekakaomumsathotmaildotcom> wrote in message
news:uwsVOnJ$EHA.1936@cpmsftngsa05.privatenews.microsoft.com...
> Hi Bill.
>
> Thanks for digging! :-)) It is a very interesting reading and now I have
> more insight to its meaning. I saw that the value 2 is just to be used in
> a "pure" Win2000 environments so I see now because of what you have so
> kindly found out that XP Pro is safer by default.
> I have one thing though that I must ask...if I enable the "Do not allow
> anonymous enumeration of SAM accounts and shares" then it should be the
> right thing to do if I want to harden my PC even more? or am I getting it
> wrong? Thanks very much.

My sense of the answer to that question is YES--this is the right thing to
do to harden the PC more. However, I don't have a clear sense of what the
downside of this might be--i.e. are their operations in a managed networking
situation, for example, that will break because of this change. If even in
SP2 they didn't make that the default, it is probably because there are
mechanisms used in the real world that will break--and I don't have a sense
of what those are, or in what kind of environment they are found. Testing
makes sense, I think.

It makes sense what you think about why they didn't make it a default
setting in SP2. However have no intention to share anything so I will try it
to see what develops. Have you ever noticed such a jungle this is by
figuring out what setting to use and not to use!? :-))

Thank you so much, you have been so helpfull.

Gunilla.

"Bill Sanderson" <Bill_Sanderson@msn.com.plugh.org> skrev i meddelandet
news:OZ6EqoK$EHA.464@CPMSFTNGSA04.privatenews.microsoft.com...
> "Gunilla" <removekakaomumsathotmaildotcom> wrote in message
> news:uwsVOnJ$EHA.1936@cpmsftngsa05.privatenews.microsoft.com...
>> Hi Bill.
>>
>> Thanks for digging! :-)) It is a very interesting reading and now I have
>> more insight to its meaning. I saw that the value 2 is just to be used in
>> a "pure" Win2000 environments so I see now because of what you have so
>> kindly found out that XP Pro is safer by default.
>> I have one thing though that I must ask...if I enable the "Do not allow
>> anonymous enumeration of SAM accounts and shares" then it should be the
>> right thing to do if I want to harden my PC even more? or am I getting it
>> wrong? Thanks very much.
>
> My sense of the answer to that question is YES--this is the right thing to
> do to harden the PC more. However, I don't have a clear sense of what the
> downside of this might be--i.e. are their operations in a managed
> networking situation, for example, that will break because of this change.
> If even in SP2 they didn't make that the default, it is probably because
> there are mechanisms used in the real world that will break--and I don't
> have a sense of what those are, or in what kind of environment they are
> found. Testing makes sense, I think.
>
>