Restrict Anonymous Key

[Andy]

Archived from groups: microsoft.public.win2000.security (More info?)

Hello group, my question concerns the Restrict Anonymous
setting in Windows 2000. We have Windows XP and Windows
2000 as our desktop OS and Server 2003 installed on some
application servers and 2000 as the DC. I set the
Restrict Anonymous registry key on the DC's to a vaule of
0 to allow users with Windows XP to change their password
when it expires. However, the Registry Setting changes to
a value of 2 overnight. How do you either prevent the
registry key from changing or allow Windows XP users to
access the DC when the key is set to a value of 2?

Thanks for your information

 

[Guest]

Archived from groups: microsoft.public.win2000.security (More info?)

"Andy" <aclelland.nospam@rivermarkcu.org> wrote in message
news:197901c49ccf$f08bbeb0$a301280a@phx.gbl...
> Hello group, my question concerns the Restrict Anonymous
> setting in Windows 2000. We have Windows XP and Windows
> 2000 as our desktop OS and Server 2003 installed on some
> application servers and 2000 as the DC. I set the
> Restrict Anonymous registry key on the DC's to a vaule of
> 0 to allow users with Windows XP to change their password
> when it expires. However, the Registry Setting changes to
> a value of 2 overnight. How do you either prevent the
> registry key from changing or allow Windows XP users to
> access the DC when the key is set to a value of 2?
>
> Thanks for your information

Just FYI, RestrictAnonymous = 2 is not a valid value in XP or any OS other
than Windows 2000. That wrong setting alone may or may not cause problems,
but applying Windows 2000 group policy templates to any other OS is bad and
causes problems, because the settings change from OS to OS. Group Policy
templates are written for one OS and should never be applied to another OS.

With XP and 2003, you instead have RestrictAnonymous = 0 or 1 plus the new
RestrictAnonymousSAM = 0 or 1.

I think RestrictAnonymous=0 on domain controllers is not a great idea and
should not be necessary. It should be 1. Unless I'm mistaken, I don't
think you should have problems with XP changing passwords with this setting.
If you do, I think there are other registry values in that same area of
Group Policy that will fix this, such as possibly Everyone includes
Anonymous or adding users and computers to the "Pre-Windows 2000
Compatibility" group [this should not be necessary for XP clients, but may
be necessary for 9x and NT].

 

[Guest]

Archived from groups: microsoft.public.win2000.security (More info?)

It probably is configured in the security policy for the domain controllers and
policy refreshed itself. Go to Domain Controllers Security Policy/security
settings/local policies/security options and I believe it is the first option -
additional restrictions for anonymous connections. Set it to do not allow anonymous
enumeration of sam account and shares. I believe that setting will work and is
equivalent to the registry setting of 1. None rely on default permissions is the same
as 0 which will work for sure. After done run secedit/refreshpolicy machine_policy
/enforce on your domain controller. Read more about that setting in table 4.6 in the
link below including an availability of a hotfix. --- Steve

http://www.microsoft.com/technet/Security/prodtech/win2000/win2khg/05sconfg.mspx

"Andy" <aclelland.nospam@rivermarkcu.org> wrote in message
news:197901c49ccf$f08bbeb0$a301280a@phx.gbl...
> Hello group, my question concerns the Restrict Anonymous
> setting in Windows 2000. We have Windows XP and Windows
> 2000 as our desktop OS and Server 2003 installed on some
> application servers and 2000 as the DC. I set the
> Restrict Anonymous registry key on the DC's to a vaule of
> 0 to allow users with Windows XP to change their password
> when it expires. However, the Registry Setting changes to
> a value of 2 overnight. How do you either prevent the
> registry key from changing or allow Windows XP users to
> access the DC when the key is set to a value of 2?
>
> Thanks for your information