System Advice

RestrictAnonymous and Your Server

To have a truly secure server, you'll want to require proper authentication before allowing access. The restrictanonymous registry setting allows you to control anonymous access, and make authenticated access necessary.

The restrictanonymous registry setting, if not used properly, can affect access to your server in several possibly unanticipated ways.

Your server son't be enumerated by the browser.
Your server won't be accessible thru Guest authentication.
Your server may not have its name successfully resolved to an address. Other computers may display an "error = 53" when trying to access your server.

The browser process is designed to run from a server, which would typically be unattended, and not logged on. It uses anonymous access to enumerate any server under its notice. Since it requires anonymous access, browser operation is subject to interference by the restrictanonymous setting.

Since the Guest account is equivalent to anonymous access, the restrictanonymous setting can likewise interfere with Guest access.

And, in at least one case which I have observed, the restrictanonymous setting can interfere with name resolution.

The Zotob worm, as we are instructed by ISC / SANS Zotob affecting some XP SP2/2003?, uses anonymous SAM enumeration to spread. That ability is controlled by the restrictanonymoussam setting. The ISC article goes further, predicting that one day some currently unknown worm may use anonymous shares enumeration, and recommends setting restrictanonymous to block such expected activity. If you followed such a recommendation, and you are now here, that is why you're here.

Enumeration of your server, and other relationships described above, requires anonymous access.

Look at registry key (spaces added for readability) [HKLM \System \CurrentControlSet \Control \Lsa], value restrictanonymous, on any server with either problem.

For anonymous access to work (for any server to be enumerated by a browser, or for Guest authentication to take place), a server must have a restrictanonymous value of "0". If the value on your server isn't "0", change it and restart the server.

NOTE Only worry about one specific value here: restrictanonymous.

The relevant key node is CurrentControlSet. ControlSet001, ControlSet002, ... are mirrors of that key, and are not relevant, when you're working on this problem.
The relevant value here is restrictanonymous. The peer value, restrictanonymoussam, is not relevant, when you're working on this problem.

Only worry about the restrictanonymous value in the [HKLM \System \CurrentControlSet \Control \Lsa] registry key.

Besides restrictanonymous, though, you might want to be aware of the Hidden, and the RestrictNullSessAccess, registry settings.

For more information, you might want to read:

JSI FAQ 2625 New Windows 2000 RestrictAnonymous registry value.
Microsoft RestrictAnonymous.
Microsoft (KB246261): How to Use the RestrictAnonymous Registry Value in Windows 2000.
Microsoft (KB296403): The RestrictAnonymous Value Breaks the Trust in a Mixed-Domain Environment.
Microsoft Threats and Countermeasures Chapter 5: Security Options.

The above articles refer to Windows 2000, and to Server 2003. Remember Win2K is NT V5.0, WinXP is NT V5.1, and Windows Vista is NT V6.0.

▲ Top