Additional restrictions for anonymous access

Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options

Description

Determines what additional restrictions should be placed on anonymous connections to the computer.

Windows 2000 allows anonymous users to perform certain activities such as enumerating the names of domain accounts and network shares. This is convenient, for example, when an administrator wants to grant access to users in a trusted domain that does not maintain a reciprocal trust. By default, an anonymous user has the same access that is granted to the Everyone group for a given resource.

This security option allows additional restrictions to be placed on anonymous connections as follows:

• None. Rely on default permissions.

• Do not allow enumeration of SAM accounts and shares. This option replaces "Everyone" with "Authenticated Users" in the security permissions for resources.

• No access without explicit anonymous permissions. This option removes "Everyone" and "Network" from the anonymous users token; thus requiring that "Anonymous" be given explicit access to any required resources.

This policy is defined by default in Local Computer Policy. By default, no additional restrictions are in place for anonymous connections.