It sounds like this has been set in group policy, most likely on the Domain
Controllers OU. In GP, go to Computer Settings -> Windows Settings ->
Security Settings -> Local Policies -> Security Options -> Additional
restrictions for anonymous connections (I'm working from memory here, so I
might be off a bit) and choose the second option in the list, which should
read something like "Do not allow enumeration of SAM accounts and shares".
The reason that you're having problems with your XP clients only is because
a setting of 2 for RA is no longer supported in XP or Win2k3. Instead, there
are numerous other configuration options that allow you to achieve
essentially the same result, but you need the XP/Win2K3 GP templates.
Laura
-----Original Message-----
From: Andrew Clelland [mailto:aclelland@rivermarkcu.org]
Sent: Tuesday, September 21, 2004 12:03 PM
To: 'focus-ms@securityfocus.com'
Subject: Restrict Anonymous
Good morning, I am curious about the Restrict Anonymous
setting in Windows 2000 Server. Our DC is Windows 2000 and we
have some servers with 2003 and half of our workstations are
Windows XP. Every evening the restrict anonymous key changes
to a DWORD value of 2 (allow users with explicit anonymous
permission) and denies users on Windows XP the chance to
change their expired password. Does anyone know of a way to
force this setting to a DWORD value of 1 (restrict anonymous
Users) or make Windows XP work with the DWORD value of 2?
Thanks in advance for your insight and I look forward to the
responses.
~Andy
--------------------------------------------------------------
-------------
--------------------------------------------------------------
-------------
---------------------------------------------------------------------------
---------------------------------------------------------------------------
