Anonymous Users and Traverse Checking Settings

Applies To: Windows Server 2003 R2

On computers running Windows XP and Windows Server 2003 operating systems, the Everyone group no longer includes anonymous users by default. This change reduces the number of network resources available by default to anonymous users and simplifies how network administrators can control access by anonymous users.

Implications of Limiting Anonymous Access

With the default denial of anonymous user access, it is easier for administrators to configure a secure system.

The default access control lists (ACLs) on earlier versions of Windows that granted the Everyone group access to resources, and potentially exposed them to attack, no longer grant this access to anonymous users after the computer has been upgraded to Windows XP or Windows Server 2003 operating systems.

Anonymous users cannot accidentally be granted access to resources as in the past, when administrators may not have been aware that anonymous users were included in the Everyone group.

This change affects anonymous users attempting to access resources hosted on computers running Windows XP and Windows Server 2003 operating systems. When a Windows 2000-based system is upgraded to Windows XP or Windows Server 2003, resources with ACLs that grant access to everyone (and not explicitly to Anonymous Logon), are no longer available to anonymous users after the upgrade. In most cases, this is an appropriate restriction of anonymous access.

You can still allow anonymous access to selected shared directories and files by adding the Anonymous Logon group to the discretionary access control lists (DACLs) protecting those resources. In addition, you should grant the Bypass Traverse Checking user right to the Anonymous Logon group. For more information, see. To bypass traverse checking for anonymous users in Windows XP and Windows Server 2003 operating systems.

In some situations, it may be difficult to determine which resources must grant anonymous access, or to modify the permissions on all the necessary resources. If so, you can configure Windows XP and Windows Server 2003 to permit anonymous access by the Everyone group. For more information, see To allow anonymous access by the Everyone group in Windows XP and Windows Server 2003 operating systems.

To bypass traverse checking for anonymous users in Windows XP and Windows Server 2003 operating systems

  1. Click Start, point to Control Panel, point to Administrative Tools, and then click Local Security Policy (or Domain Security Policy on a domain controller).

  2. In the console tree, open Security Settings, open either Local Policies or Domain Policies, and then click User Rights Assignment.

  3. In the details pane, right-click Bypass traverse checking, and then click Properties.

  4. Click Add User or Group.

  5. In the Select Users, Computers, or Groups dialog box, type Anonymous Logon in the Enter the object names to select list box.

  6. Click Check names to verify that your entry is valid, and then click OK.

Note

There is no command-line method for this procedure.

To allow anonymous access by the Everyone group in Windows XP and Windows Server 2003 operating systems

  1. Click Start, point to Control Panel, point to Administrative Tools, and then click Local Security Policy (or Domain Security Policy on a domain controller).

  2. In the console tree, open Security Settings, open either Local Policies or Domain Policies, and then click Security Options.

  3. In the details pane, right-click Network access: Let Everyone permissions apply to anonymous users, and then click Properties.

  4. To allow permissions applied to the Everyone group to apply to anonymous users, click Enabled.

  5. Or, to prevent permissions applied to the Everyone group from applying to anonymous users, click Disabled.

  6. Click OK.

Note

There is no command-line method for this procedure.