Anonymous Logon rights

[rbs74]

Our group policy is configured so that the Everyone group does not include
the anonymous logon group. One of the side effects of this is that if a
user tries to log on and they are supposed to change their password, they
cannot.

We had orginally made the change because we were having mass lockouts from
anonymous users trying to brute force admin accounts.

We are debating giving explicit permissions to anonymous login for the
"access this computer from the network". If we still have the "Do not
allow anonymous enumeration of SAM accounts" and "do not allow
anonymous/SID translation" options enabled, will this change pose a
serious security threat?

 

[Steven L Umbach]

What is network makeup? Are you using downlevel clients? The cure for attacks on the admin account is a firewall unless it is happening from the lan in which case you should know what lan computer it is originating from. Make sure that you do not have netbios/smb 445 ports exposed to the internet. You can go to http://scan.sygatetech.com/ to do a quick assesment of your network vulnerability. The link below explains those anonymous settings you are talking about and when and when not to use them. --- Steve

http://www.microsoft.com/technet/Security/prodtech/win2003/w2003hg/sgch03..mspx
http://support.microsoft.com/default.aspx?scid=kb;en-us;823659

Our group policy is configured so that the Everyone group does not include the anonymous logon group. One of the side effects of this is that if a user tries to log on and they are supposed to change their password, they cannot.

We had orginally made the change because we were having mass lockouts from anonymous users trying to brute force admin accounts.

We are debating giving explicit permissions to anonymous login for the "access this computer from the network". If we still have the "Do not allow anonymous enumeration of SAM accounts" and "do not allow anonymous/SID translation" options enabled, will this change pose a serious security threat?