Restricting Anonymous Access
Updated: March 28, 2003
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
In Windows Server 2003, access that was available to Anonymous users in Windows NT 4.0 is available only to Everyone and Guest accounts. However, in some of the following situations you might still need to allow Anonymous access to portions of your network.
Some of the services running versions of Windows earlier than Windows 2000 use anonymous access to request user account information from domain controllers and to list network shares on file servers and workstations.
You also might need to allow Anonymous access when an administrator in the trusting domain of a one-way trust relationship across forests needs to list users and shares in the trusted domain of another forest.
In addition, the Windows NT Remote Access Service (RAS) uses anonymous logon to determine whether a user has permission to establish a RAS connection. Anonymous access to Active Directory is used to change passwords from earlier systems. This form of anonymous access is enabled by the Pre-Windows 2000 compatible access security group, which is a local group found only on Windows 2000 and Windows Server 2003 domain controllers. By default, this group has read access to user and group objects in Active Directory.
If you need to support networks containing a mix of Windows NT 4.0, Windows 2000, and Windows Server 2003 desktops and servers, you must take into account the new restrictions on anonymous access by doing the following:
First determine which services and applications require anonymous access to network resources, and identify the servers to which anonymous access is needed.
Then decide whether to add the Anonymous Logon identity to specific access control lists (ACLs), or to make security policy changes that relax the restrictions that Windows Server 2003 places on anonymous access.
You can regulate anonymous access by doing the following:
Edit the ACLs of the resources, adding the Anonymous Logon identity to the list of authorized users. This approach is the most secure, but requires editing the ACLs of each resource, which might be difficult to manage or troubleshoot.
Use the Do not allow anonymous enumeration of SAM accounts and shares policy Group Policy object, which can be found in Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options, to prevent attackers from using anonymous connections to obtain information about accounts and shares on a computer. Preventing Security Accounts Manager (SAM) account enumeration can help thwart attacks, but also prevents legitimate users in other domains from obtaining this information.
Disable or do not configure this policy if your domain includes computers running versions of Windows earlier than Windows 2000 or if it has an outbound, one-way trust relationship with a domain in another forest. The browser service on computers running Windows NT 4.0 and earlier requires the ability to enumerate shares anonymously when it connects to backup browsers, master browsers, and domain master browsers to retrieve server lists and domain lists. Users on the trusting side of a one-way trust relationship need the ability to enumerate SAM accounts anonymously when they add domain accounts and groups on the trusted side of the relationship to security groups in the trusting domain.
For more information about domain and forest trust relationships, see the Windows Security Collection of the Windows Server 2003 Technical Reference (or see the Windows Security Collection on the Web at http://www.microsoft.com/reskit).
Use the Let Everyone permissions apply to anonymous users policy to extend anonymous access to match the Windows NT 4.0 model. If this policy is enabled, Anonymous users can access any resource that Everyone is allowed to access. Do not enable this policy unless there is a compelling business reason to compromise the security provided by requiring some form of authentication. If you do enable this policy, work to disable it by editing the ACLs of specific resources to allow anonymous access, as required in particular cases.
If you need to permit clients running versions of Windows earlier than Windows 2000 to change their passwords, add the Everyone and Anonymous Logon groups to the Pre-Windows 2000 compatible access group, enabling anonymous access to the accounts. The membership of this group is determined by a user option during the installation of the first domain controller in the domain. You can change the group membership if necessary.