Hello folks, this is driving me batty. Somebody tell me if I'm doing something wrong, or if this is a case of some sort of GPO/interoperability weirdness:
Current Configuration: Single forest, single domain 2 Windows Server 2003 DCs 1 Windows 2000 Advanced server DC Relevant Group Policy settings: Allow anonymous SID/Name translation, configured as "Disabled" Do not allow anonymous enumeration of SAM accounts, configured as "Enabled" Do not allow anonymous enumeration of SAM accounts and shares, configured as "Enabled" Let Everyone permissions apply to anonymous users, configured as "Disabled" The above GPO settings create the following registry entries on both the 2K and the 2K3 domain controllers: HKLM\CurrentControlSet\Control\LSA\ restrictanonymous - REG_DWORD - Value: 1 restrictanonymousSAM - REG_DWORD - Value: 1 Now, I know that there was a change between 2K and 2K3, where the recommended setting for 2000 was meant to be: HKLM\CurrentControlSet\Control\LSA\restrictanonymous - REG_DWORD - Value: 2 ...and setting that key to "1" in 2K was essentially useless. But because the 2K server is receiving restrictanonymous - Value: 1, (I assume from the GPO), anonymous users are able to enumerate the SAM on my 2K DC, which is leaving me open to Dictionary attacks/DoS attacks from account lockouts. <wishful thinking>Shouldn't Group Policy be smart enough to populate the registry of each DC with the proper entries for the relevant OS?</wishful thinking> Or do I need to either find a workaround or kill off my 2K DC? (Or am I just doing something stupid, which is always a possibility? :-)) Thanks all, Laura List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
