Re: RestrictAnonymous registry value

From: neo [mvp outlook] (neo@mvps.org)
Date: 02/06/03 

From: "neo [mvp outlook]" <neo@mvps.org>
Date: Wed, 5 Feb 2003 19:54:59 -0800

Setting the value to 1 is a wise security measure in a mixed (nt4/2k)
environment because it does stop some gui tools from enumerating data. So
the question you need to ask yourself is... is it better to leave the door
wide open or close it just a tad?

"Pat Wisch" <zzzpwisch@csulb.edu> wrote in message
news:3e413ac9.3253281@msnews.microsoft.com...
> Hello,
>
> I work at a college, and one of the admins in our group is pushing
> hard for setting the RestrictAnonymous registry value to 1 in
> HKLM\System\CurrentControlSet\Control\LSA.
> (Reference Q 246261).
>
> The idea is to prevent outsiders (or other people on campus) from
> enumerating user accounts on our domain controllers. However, from
> articles I've read, it seems that setting the RestrictAnonymous value
> to 1 isn't really going to accomplish much because there are ways to
> enumerate accounts that get around this setting. Although we are
> primarily a W2K shop, there are a few NT4 workstations around, so
> setting the value to 2 is not really an option for us.
>
> I would appreciate any feedback on this, and thanks in advance.
>
>
>
>
> --
> To reply by email, remove the zzz from my email address.