Re: RestrictAnonymous pros vs cons
From: Karl Levinson [x y] mvp (levinson_k@excite.com)
Date: 02/12/03
- Next message: Karl Levinson [x y] mvp: "Re: Pop-up message plague"
- Previous message: Karl Levinson [x y] mvp: "Re: recovering Encrypted files"
- In reply to: Chris: "RestrictAnonymous pros vs cons"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Karl Levinson [x y] mvp" <levinson_k@excite.com> Date: Tue, 11 Feb 2003 19:41:41 -0500
I don't think there is a comprehensive list. The problems you're having are
pretty much all the problems I'm aware of. [I assume you're aware that RA =
2 prevents windows 2000 domain controllers from being able to authenticate
users, and that RA=2 is not an option in NT or XP, despite some pages that
state otherwise.]
www.Veritas.com is the place to look for a fix for the problem with Veritas
Backup Exec, though I'm not sure there is a fix for that.
I believe the Microsoft knowledge base at www.microsoft.com/support does
describe that adding new domain trusts breaks with certain RestrictAnonymous
settings [actually I believe the article I'm thinking of involves Windows NT
and RA = 1]... but there was no fix, short of going back to RA = 0 in order
to add the trust, and then you can make RA whatever you want.
There was another report here in the past month of problems managing shared
network printers with RA=2 on the client workstation [not necessarily the
computer sharing the printer].
My understanding is that the 1 setting definitely blocks some information
like first and last name but not other information like login ID name and
share names. Also, RA=1 breaks some tools and not others. So, RA=0 is good
to avoid if you can.
To see for yourself what information is and isn't available, download the
GETACCT tool from www.securityfriday.com I think they also have an article
or two with more information about all this.
HTH
"Chris" <chrishill27@yahoo.com> wrote in message
news:14029bf0.0302111539.2175e3c9@posting.google.com...
> Part of my project to tighten network security includes setting the
> RestrictAnonymous value on our Win2k DC's and member servers. I've
> read (Windows 2000 Hacking Exposed and other sources) that the "1"
> setting "does not actually block anonymous connections" and that
> "certain types" of information can still be gathered from a server.
> As a result, we have gone with the "2" setting. Things seem to be
> working ok in general with a few exceptions:
> 1. domain browse list does not transfer to untrusted domains
> (expected)
> 2. BackupExec problems (always expected)
> 3. New report of problems with Ris authentication/domain join.
>
> We can deal with #1 and find workarounds for #2, but #3 may develop
> into a problem. Can anyone provide some details as to the security
> risks of the RestrictAnon=1 setting? The security docs I've read make
> the "1" setting sound like nothing more than a minor inconvenience to
> anyone trying to extract info from a server. Also, if anyone can
> direct me to a comprehensive list of known issues with the
> RestrictAnon=2 setting, please post that also. Thank you in advance
> for any responses.
- Next message: Karl Levinson [x y] mvp: "Re: Pop-up message plague"
- Previous message: Karl Levinson [x y] mvp: "Re: recovering Encrypted files"
- In reply to: Chris: "RestrictAnonymous pros vs cons"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
