locked
restrictAnonymous RestrictAnonymousSAM EveryoneIncludesAnonymous TurnOffAnonymousBlock RestrictNullSessAccess NullSessionPipes NullSessionShares RRS feed

  • General discussion

  • Hello,

    I'm considering making the following reg changes on my 2003, 2008, and 2008R2 servers:

    Modify the registry key:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\

    with the following values:

          Value Name: RestrictAnonymous
          Data Type: REG_DWORD
          Data Value: 1

          Value Name: RestrictAnonymousSAM
          Data Type: REG_DWORD
          Data Value: 1

          Value Name: EveryoneIncludesAnonymous
          Data Type: REG_DWORD
          Data Value: 0

    and set the following value to 0 (or, alternatively, delete it):

          Value Name: TurnOffAnonymousBlock
          Data Type: REG_DWORD
          Data Value: 0

    Modify the registry key:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\

    with the following values:

          Value Name: RestrictNullSessAccess
          Data Type: REG_DWORD
          Data Value: 1

          Value Name: NullSessionPipes
          Data Type: REG_MULTI_SZ
          Data Value: "" (empty string, without quotes)

    Open Local Security Settings, and disable the following setting:

           Security Settings -> Local Policies -> Security Options ->
           Network access: Allow anonymous SID/Name translation: Disabled

     

    In general, I know the RistrictAnonymous and related settings will break several things for old NT4 downlevel clients and domains, and also break the 'browser' service, and so any apps relying on the browser service. Anything else? and barring third party apps, what does this really mean for the OS operations when there are no NT4 boxes to consider? Will there be any issues on 2003, 2008, 2008R2 with things like IIS, SMTP, and SQL Server?

    I realize the best/only way to be sure is to test, but I don't really have an exact configuration to test, looking for more general if/then/else stuff here... What I'm doing now is trying to get info to determine the likelihood these settings can safely be included in 'base' installs for servers, that typically will become web and/or database servers (IIS/SQL Server), but may wind up being configured for any other roles... so another way I'm looking at it is, if I include these settings in my base installs, how often might they need to be changed in order to get other, less typical roles working, with 'less typical' for me meaning not an IIS/SMTP or SQL Server? 

    so there is my discussion orienting info, and here are the 2 specific categories I'm hoping to get some discussion going on:

    1. known issues/problems with these settings related to IIS, SMTP, SQL Server

    2. theoretically speaking, examples of possible effects of these settings on anything in 2003/2008/2008R2 based systems

    any input would be appreciated, thanks!

    • Changed type c0pe Thursday, May 6, 2010 10:13 AM
    Wednesday, May 5, 2010 1:14 PM

All replies

  • I know this is an older post, but did you make this change?

    What were the effects? I am considering the same.

    Wednesday, March 2, 2011 5:18 PM
  • I always do like that, but through Group Policy (Security Options). No side effects.

    Null sessions may be required to establish trusts between domains. I have not experienced any bad consequences to IIS, SMTP, SQL.


    MCITP: Enterprise Administrator; MCT; Microsoft Security Trusted Advisor; CCNA
    Wednesday, March 2, 2011 6:44 PM
  • Im trying to do the same. Which policy settings do you enable\disabled to make the registry changes in group policy management? 
    Thursday, June 20, 2013 1:50 PM
  • this is exactly what we are planning to enable on all systems. Have anyone experienced issues with restricting these settings?
    Monday, July 8, 2013 10:45 AM
  • Also, would below GPO settings cover all of it or did i miss something?

    Policy Setting 
    Network access: Allow anonymous SID/Name translation Disabled 
    Network access: Do not allow anonymous enumeration of SAM accounts Enabled 
    Network access: Let Everyone permissions apply to anonymous users Disabled 

    Network access: Do not allow anonymous enumeration of SAM accounts and shares Enabled 



    Monday, July 8, 2013 11:01 AM