RE: [ActiveDir] 2K3 documentation update? (WAS: Windows Server 2003 Security Weirdness)
I greatly value the knowledge that I've gained from this group and I love to be occasionally be able to give back. At the risk of making this seem too easy, here is the exact google query that I used: site:support.microsoft.com RestrictAnonymousSAM (without the quotes) I love the site: modifier May the google be with you g -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of joe Sent: Saturday, October 16, 2004 5:34 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] 2K3 documentation update? (WAS: Windows Server 2003 Security Weirdness) Your google-fu appears to be very strong young one... :o) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Passo, Larry Sent: Friday, October 15, 2004 5:18 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] 2K3 documentation update? (WAS: Windows Server 2003 Security Weirdness) 823659 328459 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Hunter, Laura E. Sent: Friday, October 15, 2004 2:07 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] 2K3 documentation update? (WAS: Windows Server 2003 Security Weirdness) Remember my I'm getting hammered with brute-force attacks as if 'Do not allow enumeration of SAM' setting wasn't there even though it is problem? Found the solution today. Remember the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\RestrictAnonymou s key in 2000, that you needed to set to 2 to do any good? Seems that's been deprecated in 2003, and the new correct value is split into 2 registry keys: ..\RestrictAnonymous=1 ..\RestrictAnonymousSAM=1 Now, I've obviously only done this on my network, but I can tell you that a setting of 2 in ..\RestrictAnonymous had me wide open and getting hammered by account enumeration attacks, whereas changing it to a 1 now has my IPC$ share behaving the way I thought it should've been. The kicker? I can't find any mention of the change in an MS Article (though Deji or someone will doubtless prove me wrong in about 5 seconds with their superior Google-fu skills :-)). And the Windows Server 2003 Deployment Kit actually references 2 as a valid entry for ..\RestrictAnonymous. Can anyone confirm or deny this before I go making a fool out of myself by submitting an incorrect or redundant KB article? Laura E. Hunter MCSE, MVP - Windows Networking University of Pennsylvania List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] 2K3 documentation update? (WAS: Windows Server 2003 Security Weirdness)
Google-fu? What's that? :-P You should have checked my online Windows bookmarks first before posting ;). I rely on higher authorities (you know whom they are) to learn about hidden stuff like these, although I admit that I only got to know about this specific one through one of the TechEd sessions and a Webcast, and it still does not appear to be well-documented. Sincerely, Dèjì Akómöláfé, MCSE MCSA MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Hunter, Laura E. Sent: Fri 10/15/2004 2:06 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] 2K3 documentation update? (WAS: Windows Server 2003 Security Weirdness) Remember my I'm getting hammered with brute-force attacks as if 'Do not allow enumeration of SAM' setting wasn't there even though it is problem? Found the solution today. Remember the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\RestrictAnonymous key in 2000, that you needed to set to 2 to do any good? Seems that's been deprecated in 2003, and the new correct value is split into 2 registry keys: ..\RestrictAnonymous=1 ..\RestrictAnonymousSAM=1 Now, I've obviously only done this on my network, but I can tell you that a setting of 2 in ..\RestrictAnonymous had me wide open and getting hammered by account enumeration attacks, whereas changing it to a 1 now has my IPC$ share behaving the way I thought it should've been. The kicker? I can't find any mention of the change in an MS Article (though Deji or someone will doubtless prove me wrong in about 5 seconds with their superior Google-fu skills :-)). And the Windows Server 2003 Deployment Kit actually references 2 as a valid entry for ..\RestrictAnonymous. Can anyone confirm or deny this before I go making a fool out of myself by submitting an incorrect or redundant KB article? Laura E. Hunter MCSE, MVP - Windows Networking University of Pennsylvania List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] 2K3 documentation update? (WAS: Windows Server 2003 Security Weirdness)
Your google-fu appears to be very strong young one... :o) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Passo, Larry Sent: Friday, October 15, 2004 5:18 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] 2K3 documentation update? (WAS: Windows Server 2003 Security Weirdness) 823659 328459 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Hunter, Laura E. Sent: Friday, October 15, 2004 2:07 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] 2K3 documentation update? (WAS: Windows Server 2003 Security Weirdness) Remember my I'm getting hammered with brute-force attacks as if 'Do not allow enumeration of SAM' setting wasn't there even though it is problem? Found the solution today. Remember the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\RestrictAnonymou s key in 2000, that you needed to set to 2 to do any good? Seems that's been deprecated in 2003, and the new correct value is split into 2 registry keys: ..\RestrictAnonymous=1 ..\RestrictAnonymousSAM=1 Now, I've obviously only done this on my network, but I can tell you that a setting of 2 in ..\RestrictAnonymous had me wide open and getting hammered by account enumeration attacks, whereas changing it to a 1 now has my IPC$ share behaving the way I thought it should've been. The kicker? I can't find any mention of the change in an MS Article (though Deji or someone will doubtless prove me wrong in about 5 seconds with their superior Google-fu skills :-)). And the Windows Server 2003 Deployment Kit actually references 2 as a valid entry for ..\RestrictAnonymous. Can anyone confirm or deny this before I go making a fool out of myself by submitting an incorrect or redundant KB article? Laura E. Hunter MCSE, MVP - Windows Networking University of Pennsylvania List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] 2K3 documentation update? (WAS: Windows Server 2003 Security Weirdness)
823659 328459 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Hunter, Laura E. Sent: Friday, October 15, 2004 2:07 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] 2K3 documentation update? (WAS: Windows Server 2003 Security Weirdness) Remember my I'm getting hammered with brute-force attacks as if 'Do not allow enumeration of SAM' setting wasn't there even though it is problem? Found the solution today. Remember the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\RestrictAnonymou s key in 2000, that you needed to set to 2 to do any good? Seems that's been deprecated in 2003, and the new correct value is split into 2 registry keys: ..\RestrictAnonymous=1 ..\RestrictAnonymousSAM=1 Now, I've obviously only done this on my network, but I can tell you that a setting of 2 in ..\RestrictAnonymous had me wide open and getting hammered by account enumeration attacks, whereas changing it to a 1 now has my IPC$ share behaving the way I thought it should've been. The kicker? I can't find any mention of the change in an MS Article (though Deji or someone will doubtless prove me wrong in about 5 seconds with their superior Google-fu skills :-)). And the Windows Server 2003 Deployment Kit actually references 2 as a valid entry for ..\RestrictAnonymous. Can anyone confirm or deny this before I go making a fool out of myself by submitting an incorrect or redundant KB article? Laura E. Hunter MCSE, MVP - Windows Networking University of Pennsylvania List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/