Sign in with
Sign up | Sign in
Your question

Disabling Null sessions on W2K machines from Win2003 DCs

Last response: in Windows 2000/NT
Share
Anonymous
a b 8 Security
September 7, 2005 11:09:06 AM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

This one's rather long and involved - my deepest gratitude to anyone who can
be bothered to read to the end and help!

I am trying to address a security vulnerability in my Windows servers (both
2003 and 2000).
Specifically I am trying to disable Null Netbios sessions.

http://support.microsoft.com/default.aspx?scid=kb;en-us;246261

This can be done per machine using the Local Security Policy editor
(Secpol.msc), however I am trying to apply this via Group Policy (as this
option is available) rather than having to apply it manually to each of my
servers.

The setting within the Local Security Policy editor and the Group Policy
editor has changed from Windows 2000 to Windows 2003/XP so that one of the
'value data' entries which was available with Windows 2000 is no longer
available in 2003/XP.

As my Domain & Forest functional levels are both Windows Server 2003 it is
natural that I should manage Group Policy from the DCs (2003 machines).

What I need to know is what the official Microsoft advice is when trying to
apply a setting to a Windows 2000 machine via Group Policy when the setting
is not available via the Policy editor in Windows 2003.

Details of the differences between W2K and WIN2003 are below:

Windows 2000

Computer Configuration==>Windows Settings==>Security Settings==>Local
Policies==>Security Options

'Additional Restrictions for anonymous connections'

Possible settings for this policy are:

None. Rely on default permissions
Do not allow enumeration of SAM accounts and shares
No access without explicit anonymous permissions


This policy corresponds to the following registry entry:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa==>DWORD:
restrictanonymous

The policy settings change the value data of 'restrictanonymous' as follows:

None. Rely on default permissions==>restrictanonymous=0
Do not allow enumeration of SAM accounts and shares==>restrictanonymous=1
No access without explicit anonymous permissions==>restrictanonymous=2

Windows Server 2003

Computer Configuration==>Windows Settings==>Security Settings==>Local
Policies==>Security Options

Network access: Do not allow anonymous enumeration of SAM accounts and
shares

Possible settings for this policy are:

Enabled
Disabled

This policy also corresponds to the same registry entry:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa==>DWORD:
restrictanonymous

However the policy settings in Windows Server 2003 change the value data of
'restrictanonymous' as follows:

Enabled==>restrictanonymous=1
Disabled==>restrictanonymous=0


So the option to change the DWORD 'restrictanonymous' to a value of 2 is no
longer available via the Group Policy editor in Windows 2003/XP even though
this is a setting recommended by Microsoft for Windows 2000 machines.

Any help greatly appreciated.

PProctor
Anonymous
a b 8 Security
September 8, 2005 2:05:13 PM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

Hi,

I have not tried what you suggested. But how about setting your own admin
template files?


Using Administrative Template Files with Registry-Based Group Policy
http://www.microsoft.com/technet/prodtechnol/windowsser...

br,
Denis

"PProctor" <PProctor@discussions.microsoft.com> wrote in message
news:EE246DD3-FAEB-4AA5-ADE5-57C75EE6981A@microsoft.com...
> This one's rather long and involved - my deepest gratitude to anyone who
can
> be bothered to read to the end and help!
>
> I am trying to address a security vulnerability in my Windows servers
(both
> 2003 and 2000).
> Specifically I am trying to disable Null Netbios sessions.
>
> http://support.microsoft.com/default.aspx?scid=kb;en-us;246261
>
> This can be done per machine using the Local Security Policy editor
> (Secpol.msc), however I am trying to apply this via Group Policy (as this
> option is available) rather than having to apply it manually to each of my
> servers.
>
> The setting within the Local Security Policy editor and the Group Policy
> editor has changed from Windows 2000 to Windows 2003/XP so that one of
the
> 'value data' entries which was available with Windows 2000 is no longer
> available in 2003/XP.
>
> As my Domain & Forest functional levels are both Windows Server 2003 it is
> natural that I should manage Group Policy from the DCs (2003 machines).
>
> What I need to know is what the official Microsoft advice is when trying
to
> apply a setting to a Windows 2000 machine via Group Policy when the
setting
> is not available via the Policy editor in Windows 2003.
>
> Details of the differences between W2K and WIN2003 are below:
>
> Windows 2000
>
> Computer Configuration==>Windows Settings==>Security Settings==>Local
> Policies==>Security Options
>
> 'Additional Restrictions for anonymous connections'
>
> Possible settings for this policy are:
>
> None. Rely on default permissions
> Do not allow enumeration of SAM accounts and shares
> No access without explicit anonymous permissions
>
>
> This policy corresponds to the following registry entry:
>
> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa==>DWORD:
> restrictanonymous
>
> The policy settings change the value data of 'restrictanonymous' as
follows:
>
> None. Rely on default permissions==>restrictanonymous=0
> Do not allow enumeration of SAM accounts and shares==>restrictanonymous=1
> No access without explicit anonymous permissions==>restrictanonymous=2
>
> Windows Server 2003
>
> Computer Configuration==>Windows Settings==>Security Settings==>Local
> Policies==>Security Options
>
> Network access: Do not allow anonymous enumeration of SAM accounts and
> shares
>
> Possible settings for this policy are:
>
> Enabled
> Disabled
>
> This policy also corresponds to the same registry entry:
>
> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa==>DWORD:
> restrictanonymous
>
> However the policy settings in Windows Server 2003 change the value data
of
> 'restrictanonymous' as follows:
>
> Enabled==>restrictanonymous=1
> Disabled==>restrictanonymous=0
>
>
> So the option to change the DWORD 'restrictanonymous' to a value of 2 is
no
> longer available via the Group Policy editor in Windows 2003/XP even
though
> this is a setting recommended by Microsoft for Windows 2000 machines.
>
> Any help greatly appreciated.
>
> PProctor
!