So, it sounds like you are saying that the "Pre-Windows 2000 Compatible Access" group they refer to is the one I see in my ADUC domain\Builtin folder. That group only has "Authenticated Users" and "Exchange Domain Servers" as members. They recommend that the Everyone and Anonymous groups be removed. Since they aren't there, it sounds like I'm OK with respect to what the article is addressing. So, the "net user" test I referenced earlier - what's that testing? Is that testing something different that what is being referenced in this article?
Thanks for sticking with me through this. Curt > -----Original Message----- > From: Michael B. Smith [mailto:[EMAIL PROTECTED] > Sent: Thursday, May 01, 2008 11:21 AM > To: NT System Admin Issues > Subject: RE: Eliminating Anonymous connections to DCs > > Well, I learned something today. Localgroup on a DC refers to "domain > local". Amazing that in 13 years of Windows, I've never run into that > before... > > Regardless, the contents of your "Pre-Windows 2000 Compatible Access" > group > is now correct. > > Insofar as anonymous access...Start the Administrative Tools -> Domain > Security Policy. > > Drill down Security Settings -> Local Policies -> Security Options. > > There are a number of relevant options under Network access, perhaps > the > most important 3: > > Network access: Allow anonymous SID/name translation > Network access: Do not allow anonymous enumeration of SAM > accounts > Network access: Do not allow anonymous enumeration of SAM > accounts > and shares > > Regards, > > Michael B. Smith > MCSE/Exchange MVP > http://TheEssentialExchange.com > > > -----Original Message----- > From: Jim Dandy [mailto:[EMAIL PROTECTED] > Sent: Thursday, May 01, 2008 12:44 PM > To: NT System Admin Issues > Subject: RE: Eliminating Anonymous connections to DCs > > It looks like an excerpt is available on the web > > http://www.microsoft.com/mspress/books/sampchap/5567b.aspx > > Thanks for looking at this for me. > > Curt > > > -----Original Message----- > > From: Michael B. Smith [mailto:[EMAIL PROTECTED] > > Sent: Wednesday, April 30, 2008 11:40 AM > > To: NT System Admin Issues > > Subject: RE: Eliminating Anonymous connections to DCs > > > > The registry key is still valid. However, the preferred mechanism for > > 2003 > > and above is to use the Domain Policy. > > > > I don't think the document you are referring to is valid. There are > no > > local > > groups on domain controllers. By definition. > > > > If it's available on the web, give me a link and I'll take a look. > > > > Regards, > > > > Michael B. Smith > > MCSE/Exchange MVP > > http://TheEssentialExchange.com > > > > > > -----Original Message----- > > From: Jim Dandy [mailto:[EMAIL PROTECTED] > > Sent: Wednesday, April 30, 2008 2:31 PM > > To: NT System Admin Issues > > Subject: RE: Eliminating Anonymous connections to DCs > > > > I did go to ADUC. The thing that was concerning me was the command > > they > > said to use was > > > > Net localgroup ... > > > > It would appear that this command modifies a local group. Is the > > "Pre-Windows 2000 Compatible Access" found in ADUC a local group? > > > > The web page you directed me to appears to be for W2K. Is that still > > valid for W2k3? > > > > Thanks for your help. > > > > Curt > > > > > -----Original Message----- > > > From: Michael B. Smith [mailto:[EMAIL PROTECTED] > > > Sent: Wednesday, April 30, 2008 11:18 AM > > > To: NT System Admin Issues > > > Subject: RE: Eliminating Anonymous connections to DCs > > > > > > Huh? > > > > > > Open ADUC. Goto the Builtin container. Look in "Pre-Windows 2000 > > > Compatible > > > Access". > > > > > > What's under the Members tab? > > > > > > Otherwise, you need to look at the RestrictAnonymous registry key > and > > > domain > > > policy. > > > > > > http://support.microsoft.com/kb/246261/ for the registry key. Click > > > around > > > in "Default Domain Policy" for the policy. > > > > > > Regards, > > > > > > Michael B. Smith > > > MCSE/Exchange MVP > > > http://TheEssentialExchange.com > > > > > > > > > -----Original Message----- > > > From: Jim Dandy [mailto:[EMAIL PROTECTED] > > > Sent: Wednesday, April 30, 2008 1:49 PM > > > To: NT System Admin Issues > > > Subject: Eliminating Anonymous connections to DCs > > > > > > Sorry for the long post. I'd appreciate it if you could hang in > > there > > > and read through this. My question is, are anonymous connections > > > eliminated? > > > > > > A document I have says "After you upgrade all the servers in the > > domain > > > hosting services that run as Local System and use Anonymous or null > > > credentials when accessing a domain controller. Such as Windows NT > > 4.0 > > > RAS servers, remove the Everyone and Anonymous Logon groups from > the > > > Pre-Windows 2000 Compatible Access built-in group. This task > > increases > > > the security of your domain by preventing anonymous connections to > > the > > > domain controllers." > > > > > > The document then suggests to do so with the command > > > > > > Net localgroup "Pre-Windows 2000 Compatible Access" groupname > > /delete > > > > > > I can't remember if I did this back when I upgraded from NT to > Server > > > 2003. I'm now running both the forest and domain in Server 2003 > mode > > > with all DCs running Server 2003. > > > > > > I logged onto my DC and executed the above command with Everyone > > > substituted in for groupname. I got error > > > > > > System error 2 has occurred > > > The system file cannot find the file specified > > > > > > Doing the same substituting in anonymous for groupname I got error > > > There is no such global user or group: Anonymous > > > > > > I read you can test to see if anonymous access is disabled with the > > > command > > > Net user \\servername\ipc$ /u:"" "" > > > I executed this command from another computer on the network and > got > > > "Logon failure: unknown user name or bad password." > > > > > > I also read you can test anonymous access with the command > > > Net user \\ipc$ /u:"" "" > > > I executed this command while logged on to the DC and got "System > > error > > > 67 has occurred." I wasn't sure if this command was actually valid > > so > > > I > > > retried with a slight modification > > > Net user \\localhost\ipc$ /u:"" "" > > > This time I got "The command completed successfully. > > > > > > So the question is, is anonymous access still enabled or do I need > to > > > do > > > something further to disable it? Thanks for your help. > > > > > > Curt > > > > > > ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ > > > ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~ > > > > > > > > > ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ > > > ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~ > > > > ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ > > ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~ > > > > > > ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ > > ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~ > > ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ > ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~ > > > ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ > ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~ ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~
