Deny all anonymous

B

Bill W.

Hi,

I want to deny all and/or any anonymous access to any
services, workstations, and clients. Also I don't want to
allow null anything,(pipes, shares, etc.). I have a win2k
advanced netowrk with mixed clients and servers. Clients
are Win98Se, Win2kPro, WinXP Pro. Servers are
Win2kAdvanced, Win2003Standard, WinNT 4.0.

Any info is helpfull. Thank you.
 
S

Steven L Umbach

This is accomplished with a firewall, acls permissions, security options,
and user rights assignments. A firewall is the best way to block access to
null sessions from untrusted networks. For within your network you can
replace the everyone and users group with the authenticated users in acls
and user rights assignments and harden the security option for additional
restrictions for anonymous users to no access without explicit anonymous
permissions. However I would not recommend changing that security option to
setting "2" for a mixed network as you will have problems especially with
password changes [including XP clients] and spotty performance of network
browsing . See the KB link below for the ramifications of restricting
anonymous access to strictest setting and I suggest you read the Windows
2000 Security Hardening Guide for specific recommendations that involve
different network makeups.. --- Steve

http://support.microsoft.com/?kbid=246261
http://tinyurl.com/vgd5
 
S

Steven L Umbach

Just to add other that a firewall, I would not make any changes until you
read the Windows 2000 Security Hardening Guide. You also need to be careful
when modifying the user right assignment for access this computer from the
network on Domain Controller Security Policy. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;823659
http://support.microsoft.com/default.aspx?scid=kb;en-us;257346

Steven L Umbach said:
This is accomplished with a firewall, acls permissions, security options,
and user rights assignments. A firewall is the best way to block access to
null sessions from untrusted networks. For within your network you can
replace the everyone and users group with the authenticated users in acls
and user rights assignments and harden the security option for additional
restrictions for anonymous users to no access without explicit anonymous
permissions. However I would not recommend changing that security option to
setting "2" for a mixed network as you will have problems especially with
password changes [including XP clients] and spotty performance of network
browsing . See the KB link below for the ramifications of restricting
anonymous access to strictest setting and I suggest you read the Windows
2000 Security Hardening Guide for specific recommendations that involve
different network makeups.. --- Steve

http://support.microsoft.com/?kbid=246261
http://tinyurl.com/vgd5

Bill W. said:
Hi,

I want to deny all and/or any anonymous access to any
services, workstations, and clients. Also I don't want to
allow null anything,(pipes, shares, etc.). I have a win2k
advanced netowrk with mixed clients and servers. Clients
are Win98Se, Win2kPro, WinXP Pro. Servers are
Win2kAdvanced, Win2003Standard, WinNT 4.0.

Any info is helpfull. Thank you.
Click to expand...
Click to expand...
 
G

Guest

-----Original Message-----
Hi,

I want to deny all and/or any anonymous access to any
services, workstations, and clients. Also I don't want to
allow null anything,(pipes, shares, etc.). I have a win2k
advanced netowrk with mixed clients and servers. Clients
are Win98Se, Win2kPro, WinXP Pro. Servers are
Win2kAdvanced, Win2003Standard, WinNT 4.0.

Any info is helpfull. Thank you.
.
Go to Control panel -select administated tools than click
Click to expand...
computer management-go to advance tab, than delete all
users.
 
K

Karl Levinson [x y] mvp

You won't be able to restrict all anonymous until you get rid of the Win NT
and 98 computers.

It sounds like what you really want to do is increase your security. That's
more than just restricting anonymous. To do so, see here:

http://securityadmin.info/faq.asp#harden

To find out more about netbios null sessions and test your computers to see
what information is available through them, go to www.securityfriday.com
especially the getacct tool Searching www.microsoft.com/support and also
www.google.com for "restrictanonymous" would also get you some additional
information.

Note that the registry settings for null sessions on NT, 2000 and XP are all
different. For NT, RestrictAnonymous should = 1 for the most security
possible [although netbios null sessions are still allowed with that
setting, you just get somewhat less information through them]. For windows
2000, RestrictAnonymous can = 1 or 2, but 2 breaks things with NT and 98.
For XP, RestrictAnonymous cannot = 2, it should probably = 1, but there is a
second registry key called RestrictAnonymousSAM. Documentation on doing
this with XP is very slim, you have to search www.google.com for
"restrictanonymoussam" for more information.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Question on GPO w/ Term Svcs 1
AD and NTLM not replicating 1
How to prevent user from accessing the network computers? 1
Network access issue in Home Network 2
Windows 2000 DHCP Server and VPN 1
Cluster Server and OS X 1
Win2K Pro, WinNT4 Svr, and Policies 1
Just several last questions before the possible system crash 1

Top