I've partially answered my question. Anonymous access is NOT disabled. I found by typing the command
net use \\servername\ipc$ /u:"" "" by hand that the command succeeds. I think the reason it failed before was because I cut and pasted it from a web page and the page had the open/close "" "" kinds of quotes instead of the standard "" "" quotes. So, now the question is, how to shut down anonymous access since the commands they suggest to shut it down don't work? Net localgroup "Pre-Windows 2000 Compatible Access" anonymous /delete Net localgroup "Pre-Windows 2000 Compatible Access" everyone /delete I'm executing these commands on the DC while logged on as enterprise admin. Thanks for your help. Curt Finley > -----Original Message----- > From: Jim Dandy [mailto:[EMAIL PROTECTED] > Sent: Wednesday, April 30, 2008 10:49 AM > To: NT System Admin Issues > Subject: Eliminating Anonymous connections to DCs > > Sorry for the long post. I'd appreciate it if you could hang in there > and read through this. My question is, are anonymous connections > eliminated? > > A document I have says "After you upgrade all the servers in the domain > hosting services that run as Local System and use Anonymous or null > credentials when accessing a domain controller. Such as Windows NT 4.0 > RAS servers, remove the Everyone and Anonymous Logon groups from the > Pre-Windows 2000 Compatible Access built-in group. This task increases > the security of your domain by preventing anonymous connections to the > domain controllers." > > The document then suggests to do so with the command > > Net localgroup "Pre-Windows 2000 Compatible Access" groupname /delete > > I can't remember if I did this back when I upgraded from NT to Server > 2003. I'm now running both the forest and domain in Server 2003 mode > with all DCs running Server 2003. > > I logged onto my DC and executed the above command with Everyone > substituted in for groupname. I got error > > System error 2 has occurred > The system file cannot find the file specified > > Doing the same substituting in anonymous for groupname I got error > There is no such global user or group: Anonymous > > I read you can test to see if anonymous access is disabled with the > command > Net user \\servername\ipc$ /u:"" "" > I executed this command from another computer on the network and got > "Logon failure: unknown user name or bad password." > > I also read you can test anonymous access with the command > Net user \\ipc$ /u:"" "" > I executed this command while logged on to the DC and got "System error > 67 has occurred." I wasn't sure if this command was actually valid so > I > retried with a slight modification > Net user \\localhost\ipc$ /u:"" "" > This time I got "The command completed successfully. > > So the question is, is anonymous access still enabled or do I need to > do > something further to disable it? Thanks for your help. > > Curt > > ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ > ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~ ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~
