Eliminate Anonymous Connections to Domain Controllers

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

After you upgrade all the servers in the domain hosting services that run as Local System and use Anonymous or null credentials when accessing a domain controller, such as Windows NT 4.0 RAS servers, remove the Everyone and Anonymous Logon groups from the Pre-Windows 2000 Compatible Access built-in group. This task increases the security of your domain by preventing anonymous connections to domain controllers.

To remove groups from the Pre-Windows 2000 Compatible Access Group using the command line

• At a command prompt, type:

  net localgroup “Pre-Windows 2000 Compatible Access” GroupName /delete
  

When using the net localgroup command to add or delete any group or group member name that includes spaces, such as the Anonymous Logon group, you must enclose the group name in quotation marks.