none
how do I set restrict anonymous to 2

    Question

  • I want to change the registry setting for restrictanonymous to "2" (HKLM\SYSTEM\CurrentControlSet\Control\Lsa\restrictanonymous). I created a script to do this but noticed the setting kept on going back to "1". Found out that there is a GPO in our organization that is setting "Network access: Do not allow anonymous enumeration of SAM accounts and shares" to Enabled. This would allow the setting to be "1".

    I have looked everywhere and the only thing I can find that changes this to 2 is another GPO called "Select \Security Settings\Local Policies\Additional restrictions for anonymous connections\"......but this does not exist in Windows Server 2008 GPO (nor 2012)...

    I know that the current setting of "1" is far from fine but we have been pretty much forced by security to set this to "2". Is there anyway of setting this in GPO to "2"? The existing GPO only sets it to "1" when enabled.

    What makes matters worse is that it is a default domain policy - ie the highest policy and out organization is huge so doubt I can ever get that changed. I want to apply this to all servers (talking about thousands of them).

    Wednesday, February 25, 2015 11:59 AM

Answers

  • > I know that the current setting of "1" is far from fine but we have been
     
    Why should it be "far from fine"?
     
    > pretty much forced by security to set this to "2". Is there anyway of
    > setting this in GPO to "2"? The existing GPO only sets it to "1" when
    > enabled.
     
    Edit your GPO from a W2K system and you will be able to do so. Or
    manually edit the gpttmpl.inf file in the GPO's sysvol folder and change
    MACHINE\System\CurrentControlSet\Control\Lsa\RestrictAnonymous=4,1
    to
    MACHINE\System\CurrentControlSet\Control\Lsa\RestrictAnonymous=4,2
     
    But be aware that RestrictAnonymous=2 was replaced with
    EveryoneIncludesAnonymous=0 starting with XP/2003. And MS does not
    recommend setting RestrictAnonymous=2 in environments with computers
    running Server 2003 or newer -
     

    Martin

    Mal ein GUTES Buch über GPOs lesen?

    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    And if IT bothers me - coke bottle design refreshment :))
    Wednesday, February 25, 2015 1:02 PM
  • > I did not know about EveryoneIncludesAnonymous=0. But again, the article
    > seems to state that the key just allows if the everyone groups includes
    > anonymous rather then replacing restrictanonymous - again, am I reading
    > this wrong?
     
    Starting with XP/2003, RestrictAnonymous=2 behaves the same way as
    RestrictAnonymous=1.
     
    > Just wondering, if I set EveryoneIncludesAnonymous=0 and
    > restrictanonymous=2....then I would assume this provides a very high
    > level of security..
     
    No, see above :)
     

    Martin

    Mal ein GUTES Buch über GPOs lesen?

    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    And if IT bothers me - coke bottle design refreshment :))
    Wednesday, February 25, 2015 2:15 PM

All replies

  • > I know that the current setting of "1" is far from fine but we have been
     
    Why should it be "far from fine"?
     
    > pretty much forced by security to set this to "2". Is there anyway of
    > setting this in GPO to "2"? The existing GPO only sets it to "1" when
    > enabled.
     
    Edit your GPO from a W2K system and you will be able to do so. Or
    manually edit the gpttmpl.inf file in the GPO's sysvol folder and change
    MACHINE\System\CurrentControlSet\Control\Lsa\RestrictAnonymous=4,1
    to
    MACHINE\System\CurrentControlSet\Control\Lsa\RestrictAnonymous=4,2
     
    But be aware that RestrictAnonymous=2 was replaced with
    EveryoneIncludesAnonymous=0 starting with XP/2003. And MS does not
    recommend setting RestrictAnonymous=2 in environments with computers
    running Server 2003 or newer -
     

    Martin

    Mal ein GUTES Buch über GPOs lesen?

    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    And if IT bothers me - coke bottle design refreshment :))
    Wednesday, February 25, 2015 1:02 PM
  • Thanks for that - in my test lab I managed to create a registry value change in GPO and set it to RestrictAnonymous=2 (looking at the gpttmpl.inf file it is also showing RestrictAnonymous=4,2). But, I think your way seems better in our environment.

    The article you mentioned does not explicitly state Windows Server 2003 - but states "Microsoft Windows Small Business Server 2003 (Windows SBS)".  Plus the scoring results table shows that restrictanonymous=2 is actually providing a high level of security (ie a low threat)...unless I am reading the whole article incorrectly is this not what it is showing?

    I did not know about EveryoneIncludesAnonymous=0. But again, the article seems to state that the key just allows if the everyone groups includes anonymous rather then replacing restrictanonymous - again, am I reading this wrong?

    Just wondering, if I set EveryoneIncludesAnonymous=0 and restrictanonymous=2....then I would assume this provides a very high level of security..

    Wednesday, February 25, 2015 1:37 PM
  • > I did not know about EveryoneIncludesAnonymous=0. But again, the article
    > seems to state that the key just allows if the everyone groups includes
    > anonymous rather then replacing restrictanonymous - again, am I reading
    > this wrong?
     
    Starting with XP/2003, RestrictAnonymous=2 behaves the same way as
    RestrictAnonymous=1.
     
    > Just wondering, if I set EveryoneIncludesAnonymous=0 and
    > restrictanonymous=2....then I would assume this provides a very high
    > level of security..
     
    No, see above :)
     

    Martin

    Mal ein GUTES Buch über GPOs lesen?

    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    And if IT bothers me - coke bottle design refreshment :))
    Wednesday, February 25, 2015 2:15 PM