several KBs at microsoft.com, looks like regkey settings for win2k
Using the RestrictAnonymous registry value to control null sessions
Warning Serious problems might occur if you modify the registry incorrectly
by using Registry Editor or by using another method. These problems might
require that you reinstall your operating system. Microsoft cannot guarantee
that these problems can be solved. Modify the registry at your own risk.
The most common way to control null sessions in Windows 2000 and Windows NT
environments is to use the RestrictAnonymous registry value. The
RestrictAnonymous registry value lets you prevent enumeration of sensitive
information over null sessions. The RestrictAnonymous registry value was
introduced in Microsoft Windows NT 4.0 Service Pack 3 (SP3) and is now
included with Windows 2000. The RestrictAnonymous registry value is added to
the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
The RestrictAnonymous registry value lets you configure local computer
policy to determine whether authentication is required to perform common
enumeration functions. There are different RestrictAnonymous registry values
for Windows NT 4.0 and Windows 2000.
In a Windows 2000 environment, you can set the RestrictAnonymous registry
value to 0, 1, or 2. When you set this registry value to 0, anonymous
connections can list account names and enumerate share names. When you set
this registry value to 1, anonymous enumeration of SAM accounts and share
names is not permitted.
Note Even with the RestrictAnonymous registry value set to 1, there are
Win32 programming interfaces that do not restrict anonymous connections.
Therefore, tools that use these interfaces can still enumerate information
over a null session even when the RestrictAnonymous registry value is set to
1.
Finally, when this registry value is set to 2, no access is granted without
explicit anonymous permissions. Therefore, no null sessions are possible,
not even through Win32 programming interfaces. Generally, we do not
recommend that you set the RestrictAnonymous registry value to 2 in
mixed-mode environments that include down-level client computers such as
Windows NT 4.0, Microsoft Windows 95, and Microsoft Windows 98.
In a Windows NT 4.0 environment, you can set the RestrictAnonymous registry
value to 0, 1, or not defined. When you set this value to 0, or when this
value is not defined, anonymous connections can list account names and
enumerate share names. When you set this value to 1, anonymous connections
from the graphical user interface (GUI) tools for security management
receive an "access denied" error message when they try to obtain the list of
account names.
Note Even when the RestrictAnonymous registry value set to 1, there are
Win32 programming interfaces that do not restrict anonymous connections.
Therefore, tools that use these interfaces can still enumerate information
over a null session even when this registry value is set to 1.
The following features were introduced together with the RestrictAnonymous
registry value: . Authenticated Users group
. Restricting anonymous list of share names
. Restricting anonymous remote registry access
--
Alan Morris
Windows Printing Team
Search the Microsoft Knowledge Base here:
http://support.microsoft.com/default.aspx?scid=fh;[ln];kbhowto
This posting is provided "AS IS" with no warranties, and confers no rights.
I had a problem with users getting Acess Denied when trying to delete
print jobs when they are set up to manage documents. I found the
problem on my 2003 servers. The Network Access: Restrict anonymous
acees to Named Pipes and Shares was Enabled. As soon as I disabled
this all worked fine. However I cannot find this local policy in 2000
server. I'm guessing this is the same problem but any ideas where this
policy may be on 2000 server?
Thanks
Dawn
