"Google-fu"? What's that? :-P You should have checked my online "Windows" bookmarks first before posting ;). I rely on higher authorities (you know whom they are) to learn about hidden stuff like these, although I admit that I only got to know about this specific one through one of the TechEd sessions and a Webcast, and it still does not appear to be well-documented. Sincerely,
D�j� Ak�m�l�f�, MCSE MCSA MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon ________________________________ From: [EMAIL PROTECTED] on behalf of Hunter, Laura E. Sent: Fri 10/15/2004 2:06 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] 2K3 documentation update? (WAS: Windows Server 2003 Security Weirdness) Remember my "I'm getting hammered with brute-force attacks as if 'Do not allow enumeration of SAM' setting wasn't there even though it is" problem? Found the solution today. Remember the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\RestrictAnonymous key in 2000, that you needed to set to "2" to do any good? Seems that's been deprecated in 2003, and the new correct value is split into 2 registry keys: ..\RestrictAnonymous=1 ..\RestrictAnonymousSAM=1 Now, I've obviously only done this on my network, but I can tell you that a setting of "2" in ..\RestrictAnonymous had me wide open and getting hammered by account enumeration attacks, whereas changing it to a "1" now has my IPC$ share behaving the way I thought it should've been. The kicker? I can't find any mention of the change in an MS Article (though Deji or someone will doubtless prove me wrong in about 5 seconds with their superior Google-fu skills :-)). And the Windows Server 2003 Deployment Kit actually references "2" as a valid entry for ..\RestrictAnonymous. Can anyone confirm or deny this before I go making a fool out of myself by submitting an incorrect or redundant KB article? Laura E. Hunter MCSE, MVP - Windows Networking University of Pennsylvania List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
