Q: How can I control Anonymous access to my Windows XP and Windows Server 2003 platforms? What does Anonymous access mean, and how do XP and Windows 2003 make locking it down easier?

A: Anonymous access means that a user can access a Windows system or one of its resources without authenticating to a Windows security authority. A session that is established without authenticating the user on the other end is also referred to as a null session. Microsoft introduced anonymous access to allow users who don’t have Windows credentials to also access Windows-hosted resources.

In the early days, Microsoft opened too many gates for anonymous users—giving way to many (in)famous security exploits. On Windows NT 4.0 and Windows 2000 for example, it's trivial for anonymous users to enumerate all accounts defined on a system and to retrieve the names and security identifiers of key accounts, such as the default administrator account. In XP, Windows 2003 and Windows 2003 R2, Microsoft more effectively restricts what can be done to a Windows system and its resources when they are accessed anonymously. To further lock down Anonymous access, Microsoft added a couple of new registry keys and locked down certain configuration settings that before were wide open.

A key security enhancement in Windows 2003 is that the privileges of the Everyone group no longer automatically apply to anonymous users. In earlier Windows versions, the Everyone group was automatically added to the access token of the anonymous user account; hence anonymous users automatically received all privileges of the Everyone group. This behavior can be controlled using the following Group Policy Object (GPO) setting: “Network access: Let Everyone permissions apply to anonymous users.” This setting is located in the Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options GPO container. It corresponds to the following registry key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA\everyoneincludesanonymous.

All anonymous access–related GPO security options, their default and recommended settings, and their meanings are listed in Table 1. All settings can be found in the Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options GPO container. Table 1 lists only the Anonymous access-related GPO security options for Windows 2003, R2 and XP. Win2K, NT 4.0, and earlier Windows versions are not covered.

In XP, Windows 2003, and R2 most of these settings are enabled by default. The only Anonymous access-related GPO settings I recommend that you change are:

  • On Windows 2003 and R2 domain controllers (DCs): “Network access: Allow anonymous SID/Name translation”. On Windows 2003 and R2 DCs, this setting is enabled by default. When it's enabled, attackers can still use anonymous access-based enumeration tools like sid2user, user2sid, userdump. To block these tools, I recommend you disable the “Network access: Allow anonymous SID/Name translation” setting on Windows 2003 and R2 DCs. This GPO setting does not have a corresponding registry key.
  • On all XP, Windows 2003, and R2 machines: “Do not allow anonymous enumeration of SAM accounts and shares”. This setting is disabled by default. I recommend you enable it to provide your systems with an additional layer of protection against Anonymous access-based enumeration. Enabling this GPO setting corresponds to setting the restrictanonymous registry key to a value of 1.
Changing some of these settings can have interesting side-effects. Use these settings with extreme care and make sure that you apply changes first in a test environment before using them in your production network. For an overview of things that may not work if you change some of the settings listed in Table 1, have a look at the Microsoft article " Client, service, and program incompatibilities that may occur when you modify security settings and user rights assignments" at http://support.microsoft.com/kb/823659. Most of the problems that may occur are related to the operation of machines that are running older Windows versions.

A last recommendation in the context of this discussion on restricting Anonymous access is related to the built-in “Pre-Windows 2000 Compatible Access” Active Directory (AD) domain local group. If during AD installation (dcpromo) you select “Permissions compatible with pre-Windows 2000 server operating systems” (as Figure 1 shows), this group will include the anonymous logon security principal. By default, the Pre-Windows 2000 Compatible Access group has the permissions to see all AD objects and all properties of AD user and group objects. In other words: thanks to the default memberships of this group anonymous users can perform AD data enumeration. That's why in Windows 2003 environments, where you don't need this group for compatibility with NT servers, I recommend you remove the anonymous logon account from the Pre-Windows 2000 Compatible Access group. You can do this by changing the group’s membership from the Microsoft Management Console (MMC) AD Users and Computers snap-in or from the command line as follows:

Net localgroup “Pre-Windows 2000 Compatible Access” “Anonymous Logon” /delete

The NT RAS server is an example of a server that requires Anonymous access to AD and thus anonymous membership of the “Pre-Windows 2000 Compatible Access” group. See the following Microsoft article " How To Add Users to the Pre-Windows 2000 Compatible Access Group in Windows Server 2003" at http://support.microsoft.com/kb/325363/en-us for more information.
Table 1: Anonymous access-related Security Options in the GPO settings

GPO setting Recommended Setting(Default Setting) Meaning
Network Access: Allow anonymous SID/Name translation Disabled: disables anonymous SID/name translation(Disabled by default on Windows XP, Windows Server 2003, R2 member servers - enabled by default on Windows Server 2003, R2 domain controllers) Determines if an anonymous user can request the SID attributes of another user. It restricts whether anonymous users can call the LookupAccountSid API.
Network Access: Do not allow anonymous enumeration of SAM accounts Enabled: disables anonymous enumeration of SAM accounts (registry value 1)(Enabled (value 1) by default) Determines whether anonymous users are allowed to enumerate the names of SAM accounts. It restricts whether anonymous users can call the NetUserEnum API. This setting only impacts standalone machines. It has no impact on domain controllers.
Network Access: Do not allow anonymous enumeration of SAM accounts and shares Enabled: disables anonymous enumeration of SAM accounts and shares (registry value 1)(Disabled (value 0) by default) Determines whether anonymous users are allowed to enumerate the names of accounts and network shares. It restricts whether anonymous users can call the NetUserEnum, NetShareEnum APIs.
Network Access: Let Everyone permissions apply to anonymous users Disabled: disables the application of everyone permissions to anonymous users (registry value 0)(Disabled (value 0) by default) Determines whether the Everyone group SID is in the access token of the anonymous user. It determines whether everyone permissions apply to anonymous users.
Network Access: Restrict anonymous access to Named Pipes and Shares(available on Windows Server 2003 and R2 only) Enabled: restricts anonymous access to named pipes and shares (registry value 1)(Enabled by default) Determines whether named pipes and shares can be accessed anonymously. This is a system-wide setting, meaning that it applies to all named pipes and shares on a Windows system.
Network Access: Named pipes that can be accessed anonymously Restrict anonymous access to named pipes (default list on Windows Server 2003, R2: COMNAP, COMNODE, SQL\QUERY, SPOOLSS, netlogon, lsarpc, samr, browser)(Default list on Windows XP: COMNAP, COMNODE, SQL\QUERY, SPOOLSS, llsrpc, browser) Determines which named pipes will allow anonymous access. This setting defines exceptions to the system-wide rule that is set using the RestrictNullSessAccess key (see above). If RestrictNullSessAccess is enabled, the NullSessionPipes key will hold the names of the named pipes that can be accessed anonymously.
Network Access: Shares that can be accessed anonymously Restrict anonymous access to shares(default list: COMCFG, DFS$) Determines which network shares can be accessed by anonymous users. This setting defines exceptions to the system-wide rule that is set using the RestrictNullSessAccess key (see above). If RestrictNullSessAccess is enabled, the NullSessionShares key will hold the the names of the shares that can be accessed anonymously.
Network Access: Remotely accessible registry paths Restrict anonymous access to registry paths(default list was too long to include in this table) Determines which registry paths can be accessed by anonymous users. These keys control exceptions to the ACL settings of the winreg registry key. Winreg controls who can access the registry remotely.In Windows XP,these exceptions apply to the entire registry tree underneath the key. In Windows Server 2003, these exceptions apply only to the key itself.
Network Access: Remotely accessible registry paths and sub-paths(available on Windows Server 2003 and R2 only) Restrict anonymous access to registry paths(default list was too long to include in this table) Determines which registry paths can be accessed by anonymous users. These keys control exceptions to the ACL settings of the winreg registry key. Winreg controls who can access the registry remotely.These exceptions apply to the entire registry tree underneath the key.