Re: RestrictAnonymous

From: Larry (lmcaulif@scsiweb.com)
Date: 01/31/03 

From: lmcaulif@scsiweb.com (Larry)
Date: 30 Jan 2003 15:29:14 -0800

Karl,

Thanks for the full explanation - I really do appreciate it. We're
about to change ISPs so we'll be getting new IP addresses. At that
point I'm going to try and get the "powers that be" to pony up some
bucks and get somebody in who actually knows what they're doing. This
'home grown' stuff only works so far, y'know?!? :-)

Again thanks for taking so much time.

Larry

"Karl Levinson [x y] mvp" <jamescagney90210@excite.com> wrote in message news:<uZ4RUnIyCHA.2532@TK2MSFTNGP10>...
> I would feel safer making it mixed case, however I have seen it both ways in
> the registry, not sure why. I cannot confirm whether all lower case works.
>
> As you may know, RestrictAnonymous works differently for NT, 2000 and XP
> [and XP is barely documented anywhere]. NT only has 0 and 1 as valid
> settings [despite documentation to the contrary]. 2000 has 0, 1 and 2. XP
> again only has 0 and 1 but has other values such as RestrictAnonymousSam.
> For XP information, search www.google.com for RestrictAnonymousSam [don't
> try searching www.microsoft.com, you won't find it anywhere there as far as
> I know].
>
> Note that RestrictAnonymous=1 does NOT really tighten null sessions very
> much. It blocks some information from being enumerated anonymously, but
> user ID and share names are still enumerated. RestrictAnonymous=2 forbids
> null sessions entirely, but only on Windows 2000 and only if it is not a
> domain controller and there are no downlevel clients. Use the Getacct tool
> from www.securityfriday.com after setting restrictaononymous to see what
> information is still available.
>
> For other things you should consider doing to prevent being hacked again,
> see here:
>
> http://securityadmin.info/faq.htm#harden
>
> Hardening IIS should definitely include installing URLScan free from
> Microsoft.com This would have blocked Nimda. So would have installing
> antivirus with the latest updates being automatically downloaded weekly. So
> would have installing the latest security patches anytime in the past year.
> You have to be especially security conscious on internet-facing servers like
> web servers. Even if you think there's nothing important on it or "it's
> only a test server," it can be used to sniff passwords, use up all your
> bandwidth and free disk space, hop into your internal network, etc. etc.
>
> Note that if you got Nimda, you might have also had any number of hackers
> hacking your systems undetected, sniffing your passwords and credit card
> numbers, etc. To see if this might be the case, see here:
>
> http://securityadmin.info/faq.htm#hacked
> http://securityadmin.info/faq.htm#re-secure
>
> People being able to run remote code on your server from the internet [and
> able to do it for several years] is considered a serious condition, and so
> you may want to consider formatting and reinstalling from scratch and
> immediately hardening everything.
>
>
> "Larry" <lmcaulif@scsiweb.com> wrote in message
> news:518137d4.0301300705.188df179@posting.google.com...
> > Hello,
> >
> > We've been hit recently with what I believe was the W32.Nimda.E@mm
> > worm (at least according to Symantec's NAV.)
> >
> > In trying to tighten things down I want to set the RestrictAnonymous
> > value to something >"0". We run (don't laugh) NT4.0 SP6 Servers and
> > W2K Pro workstations. The two machines available to the world are our
> > Proxy and IIS servers, both of which are old (i.e., PS v2.0 & IIS
> > v3.0.) We've had no problems for years - hence we've felt no need to
> > upgrade! :-)
> >
> > Now, in attempting to set the RestrictAnonymous value to "1" in W2K, I
> > noticed that it was, in fact, already present in the Control\LSA
> > registry entry as "0". Since I'm just learning about it, I'll assume
> > it's put there at installation time. Anyway . . .
> >
> > In these W2K machines the value is written all in lower
> > case(restrictanonymous). However, everything I'm reading about
> > setting it shows it entered in mixed case (RestrictAnonymous). I have
> > to assume that the W2K registry, like the NT4.0 registry is case
> > sensitive.
> >
> > Does anyone know if this is true? And if it is, which way should the
> > entry appear; lower or mixed case?
> >
> > Thanks,
> > Larry
>
>
> ---
> Outgoing mail is certified Virus Free.
> Checked by AVG anti-virus system (http://www.grisoft.com).
> Version: 6.0.449 / Virus Database: 251 - Release Date: 1/27/2003