Restrict Anonymous check
Applies To: Forefront Client Security
The Restrict Anonymous SSA check determines whether the RestrictAnonymous registry setting is used to restrict anonymous connections on the scanned computer. The registry setting is at the following location:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\RestrictAnonymous
Anonymous users can list certain types of system information, including user names and details, account policies, and share names. The list of user names and share names could help potential attackers learn compromising information, such as:
Who is an administrator.
Which computers have weak account protection.
Which computers share information with the network.
Users who want enhanced security can restrict this function so that anonymous users cannot access this information.
The RestrictAnonymous registry setting controls the level of enumeration that is granted to an anonymous user. RestrictAnonymous can be set to any of the following values:
0—None. Rely on default permissions.
1—Do not allow enumeration of Security Accounts Manager accounts and names.
2—No access without explicit anonymous permissions.
It is not recommended that you set RestrictAnonymous to 2 on domain controllers or on computers running Microsoft Windows Small Business Server 2003 (Windows SBS) server software unless they are in pure Windows 2000 Server environments and have been tested for application compatibility. In addition, client computers with RestrictAnonymous set to 2 should not take on the role of master browser.
In Windows XP, the EveryoneIncludesAnonymous registry setting controls whether permissions given to the built-in Everyone group apply to anonymous users. By default, permissions granted to the Everyone group do not apply to anonymous users in Windows XP, which therefore provides the same level of anonymous user restrictions as the RestrictAnonymous setting in previous Windows operating systems.
Review the results message associated with the score.
It is recommended that you restrict anonymous access.
Because of the existence of the EveryoneIncludesAnonymous registry setting in Windows XP, scoring for Windows XP and newer operating systems differs from scoring for Windows 2000 Server operating systems.
The following table shows how Client Security determines the score resulting from performing this check on computers running the Windows Vista™ or Windows XP operating system. It also shows the results message that appears in related reports. You can use the results message for each score to determine the recommended resolution.
| Score | Everyone group includes anonymous users | RestrictAnonymous setting | Results message |
|---|---|---|---|
High |
Yes |
0 |
This computer is running with RestrictAnonymous = 0. This level allows basic enumeration of user accounts, account policies, and system information. Set RestrictAnonymous = 2 to ensure maximum security. |
|
Yes |
Doesn't exist |
The RestrictAnonymous key is not set in your registry. This key should be present and set to a value greater than 0. |
|
Yes |
Not 0, 1, or 2 |
Invalid values were detected for some anonymous access settings on this computer. The current setting on this computer is: RestrictAnonymous = Value. |
Medium |
Yes |
1 |
This computer is running with RestrictAnonymous = 1. This level prevents basic enumeration of user accounts, account policies, and system information. Set RestrictAnonymous = 2 to ensure maximum security. |
Low |
Yes |
2 |
This computer is properly restricting anonymous access. |
|
No |
Any setting |
This computer is properly restricting anonymous access. |
The following table shows how Client Security determines the score resulting from performing this check on a computer running Windows 2000 Server. It also shows the results message that appears in related reports. You can use the results message for each score to determine the recommended resolution.
| Score | RestrictAnonymous setting | RestrictAnonymous setting is missing | Results message |
|---|---|---|---|
High |
0 |
No |
This computer is running with RestrictAnonymous = 0. This level allows basic enumeration of user accounts, account policies, and system information. Set RestrictAnonymous = 2 to ensure maximum security. |
|
Not applicable |
Yes |
The RestrictAnonymous key is not set in your registry. This key should be present and set to a value greater than 0. |
|
Not 0, 1, or 2 |
No |
Invalid values were detected for some anonymous access settings on this computer. The current setting on this computer is: RestrictAnonymous = Value. |
Medium |
1 |
No |
This computer is running with RestrictAnonymous = 1. This level prevents basic enumeration of user accounts, account policies, and system information. Set RestrictAnonymous = 2 to ensure maximum security. |
Low |
2 |
No |
This computer is properly restricting anonymous access. |
How to use the RestrictAnonymous registry value in Windows 2000
Everyone Group Does Not Include Anonymous Security Identifier