Disabling Null sessions on W2K machines from Win2003 DCs

Archived from groups: microsoft.public.win2000.group_policy (More info?)

This one's rather long and involved - my deepest gratitude to anyone who can
be bothered to read to the end and help!

I am trying to address a security vulnerability in my Windows servers (both
2003 and 2000).
Specifically I am trying to disable Null Netbios sessions.

http://support.microsoft.com/default.aspx?scid=kb;en-us;246261

This can be done per machine using the Local Security Policy editor
(Secpol.msc), however I am trying to apply this via Group Policy (as this
option is available) rather than having to apply it manually to each of my
servers.

The setting within the Local Security Policy editor and the Group Policy
editor has changed from Windows 2000 to Windows 2003/XP so that one of the
'value data' entries which was available with Windows 2000 is no longer
available in 2003/XP.

As my Domain & Forest functional levels are both Windows Server 2003 it is
natural that I should manage Group Policy from the DCs (2003 machines).

What I need to know is what the official Microsoft advice is when trying to
apply a setting to a Windows 2000 machine via Group Policy when the setting
is not available via the Policy editor in Windows 2003.

Details of the differences between W2K and WIN2003 are below:

Windows 2000

Computer Configuration==>Windows Settings==>Security Settings==>Local
Policies==>Security Options

'Additional Restrictions for anonymous connections'

Possible settings for this policy are:

None. Rely on default permissions
Do not allow enumeration of SAM accounts and shares
No access without explicit anonymous permissions


This policy corresponds to the following registry entry:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa==>DWORD:
restrictanonymous

The policy settings change the value data of 'restrictanonymous' as follows:

None. Rely on default permissions==>restrictanonymous=0
Do not allow enumeration of SAM accounts and shares==>restrictanonymous=1
No access without explicit anonymous permissions==>restrictanonymous=2

Windows Server 2003

Computer Configuration==>Windows Settings==>Security Settings==>Local
Policies==>Security Options

Network access: Do not allow anonymous enumeration of SAM accounts and
shares

Possible settings for this policy are:

Enabled
Disabled

This policy also corresponds to the same registry entry:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa==>DWORD:
restrictanonymous

However the policy settings in Windows Server 2003 change the value data of
'restrictanonymous' as follows:

Enabled==>restrictanonymous=1
Disabled==>restrictanonymous=0


So the option to change the DWORD 'restrictanonymous' to a value of 2 is no
longer available via the Group Policy editor in Windows 2003/XP even though
this is a setting recommended by Microsoft for Windows 2000 machines.

Any help greatly appreciated.

PProctor
1 answer Last reply
More about disabling null sessions machines win2003
  1. Archived from groups: microsoft.public.win2000.group_policy (More info?)

    Hi,

    I have not tried what you suggested. But how about setting your own admin
    template files?


    Using Administrative Template Files with Registry-Based Group Policy
    http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/management/gp/admtgp.mspx

    br,
    Denis

    "PProctor" <PProctor@discussions.microsoft.com> wrote in message
    news:EE246DD3-FAEB-4AA5-ADE5-57C75EE6981A@microsoft.com...
    > This one's rather long and involved - my deepest gratitude to anyone who
    can
    > be bothered to read to the end and help!
    >
    > I am trying to address a security vulnerability in my Windows servers
    (both
    > 2003 and 2000).
    > Specifically I am trying to disable Null Netbios sessions.
    >
    > http://support.microsoft.com/default.aspx?scid=kb;en-us;246261
    >
    > This can be done per machine using the Local Security Policy editor
    > (Secpol.msc), however I am trying to apply this via Group Policy (as this
    > option is available) rather than having to apply it manually to each of my
    > servers.
    >
    > The setting within the Local Security Policy editor and the Group Policy
    > editor has changed from Windows 2000 to Windows 2003/XP so that one of
    the
    > 'value data' entries which was available with Windows 2000 is no longer
    > available in 2003/XP.
    >
    > As my Domain & Forest functional levels are both Windows Server 2003 it is
    > natural that I should manage Group Policy from the DCs (2003 machines).
    >
    > What I need to know is what the official Microsoft advice is when trying
    to
    > apply a setting to a Windows 2000 machine via Group Policy when the
    setting
    > is not available via the Policy editor in Windows 2003.
    >
    > Details of the differences between W2K and WIN2003 are below:
    >
    > Windows 2000
    >
    > Computer Configuration==>Windows Settings==>Security Settings==>Local
    > Policies==>Security Options
    >
    > 'Additional Restrictions for anonymous connections'
    >
    > Possible settings for this policy are:
    >
    > None. Rely on default permissions
    > Do not allow enumeration of SAM accounts and shares
    > No access without explicit anonymous permissions
    >
    >
    > This policy corresponds to the following registry entry:
    >
    > HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa==>DWORD:
    > restrictanonymous
    >
    > The policy settings change the value data of 'restrictanonymous' as
    follows:
    >
    > None. Rely on default permissions==>restrictanonymous=0
    > Do not allow enumeration of SAM accounts and shares==>restrictanonymous=1
    > No access without explicit anonymous permissions==>restrictanonymous=2
    >
    > Windows Server 2003
    >
    > Computer Configuration==>Windows Settings==>Security Settings==>Local
    > Policies==>Security Options
    >
    > Network access: Do not allow anonymous enumeration of SAM accounts and
    > shares
    >
    > Possible settings for this policy are:
    >
    > Enabled
    > Disabled
    >
    > This policy also corresponds to the same registry entry:
    >
    > HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa==>DWORD:
    > restrictanonymous
    >
    > However the policy settings in Windows Server 2003 change the value data
    of
    > 'restrictanonymous' as follows:
    >
    > Enabled==>restrictanonymous=1
    > Disabled==>restrictanonymous=0
    >
    >
    > So the option to change the DWORD 'restrictanonymous' to a value of 2 is
    no
    > longer available via the Group Policy editor in Windows 2003/XP even
    though
    > this is a setting recommended by Microsoft for Windows 2000 machines.
    >
    > Any help greatly appreciated.
    >
    > PProctor
Ask a new question

Read More

Policy Security Windows Server 2003 Windows