RestrictAnonymous and Your Server

To have a truly secure server, you’ll want to require proper authentication before allowing access. The restrictanonymous registry setting allows you to control anonymous access, and make authenticated access necessary.

The restrictanonymous registry setting, if not used properly, can affect access to your server in several possibly unanticipated ways.

  • Your server son’t be enumerated by the browser.
  • Your server won’t be accessible thru Guest authentication.
  • Your server may not have its name successfully resolved to an address. Other computers may display an “error = 53” when trying to access your server.

The browser process is designed to run from a server, which would typically be unattended, and not logged on. It uses anonymous access to enumerate any server under its notice. Since it requires anonymous access, browser operation is subject to interference by the restrictanonymous setting.

Since the Guest account is equivalent to anonymous access, the restrictanonymous setting can likewise interfere with Guest access.

And, in at least one case which I have observed, the restrictanonymous setting can interfere with name resolution.

The Zotob worm, as we are instructed by ISC / SANS Zotob affecting some XP SP2/2003?, uses anonymous SAM enumeration to spread. That ability is controlled by the restrictanonymoussam setting. The ISC article goes further, predicting that one day some currently unknown worm may use anonymous shares enumeration, and recommends setting restrictanonymous to block such expected activity. If you followed such a recommendation, and you are now here, that is why you’re here.

Enumeration of your server, and other relationships described above, requires anonymous access.

Look at registry key (spaces added for readability) [HKLM \System \CurrentControlSet \Control \Lsa], value restrictanonymous, on any server with either problem.

For anonymous access to work (for any server to be enumerated by a browser, or for Guest authentication to take place), a server must have a restrictanonymous value of “0”. If the value on your server isn’t “0”, change it and restart the server.

NOTE Only worry about one specific value here: restrictanonymous.

  • The relevant key node is CurrentControlSet. ControlSet001, ControlSet002, … are mirrors of that key, and are not relevant, when you’re working on this problem.
  • The relevant value here is restrictanonymous. The peer value, restrictanonymoussam, is not relevant, when you’re working on this problem.

Only worry about the restrictanonymous value in the [HKLM \System \CurrentControlSet \Control \Lsa] registry key.

Besides restrictanonymous, though, you might want to be aware of RestrictNullSessAccess.

For more information, you might want to read:

The above articles refer to Windows 2000, and to Server 2003. Remember Win2K is NT V5.0, and WinXP is NT V5.1.


2 Responses to “RestrictAnonymous and Your Server”

  1. RonWales Says:

    Thanks so much for this article. You solved a problem that has been bugging me for months.

  2. ctparson Says:

    Wow – I have been trying EVERYTHING to get file sharing to work and nothing has until NOW! Thank you so much for this posting. I have spent many many hours trying to find the setting that was causing the access issues. THANK YOU VERY MUCH!–>

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: