823659 328459 -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Hunter, Laura E. Sent: Friday, October 15, 2004 2:07 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] 2K3 documentation update? (WAS: Windows Server 2003 Security Weirdness)
Remember my "I'm getting hammered with brute-force attacks as if 'Do not allow enumeration of SAM' setting wasn't there even though it is" problem? Found the solution today. Remember the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\RestrictAnonymou s key in 2000, that you needed to set to "2" to do any good? Seems that's been deprecated in 2003, and the new correct value is split into 2 registry keys: ..\RestrictAnonymous=1 ..\RestrictAnonymousSAM=1 Now, I've obviously only done this on my network, but I can tell you that a setting of "2" in ..\RestrictAnonymous had me wide open and getting hammered by account enumeration attacks, whereas changing it to a "1" now has my IPC$ share behaving the way I thought it should've been. The kicker? I can't find any mention of the change in an MS Article (though Deji or someone will doubtless prove me wrong in about 5 seconds with their superior Google-fu skills :-)). And the Windows Server 2003 Deployment Kit actually references "2" as a valid entry for ..\RestrictAnonymous. Can anyone confirm or deny this before I go making a fool out of myself by submitting an incorrect or redundant KB article? Laura E. Hunter MCSE, MVP - Windows Networking University of Pennsylvania List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/