Sorry for the long post. I'd appreciate it if you could hang in there
and read through this. My question is, are anonymous connections
eliminated?
A document I have says "After you upgrade all the servers in the domain
hosting services that run as Local System and use Anonymous or null
credentials when accessing a domain controller. Such as Windows NT 4.0
RAS servers, remove the Everyone and Anonymous Logon groups from the
Pre-Windows 2000 Compatible Access built-in group. This task increases
the security of your domain by preventing anonymous connections to the
domain controllers."
The document then suggests to do so with the command
Net localgroup "Pre-Windows 2000 Compatible Access" groupname /delete
I can't remember if I did this back when I upgraded from NT to Server
2003. I'm now running both the forest and domain in Server 2003 mode
with all DCs running Server 2003.
I logged onto my DC and executed the above command with Everyone
substituted in for groupname. I got error
System error 2 has occurred
The system file cannot find the file specified
Doing the same substituting in anonymous for groupname I got error
There is no such global user or group: Anonymous
I read you can test to see if anonymous access is disabled with the
command
Net user \\servername\ipc$ /u:"" ""
I executed this command from another computer on the network and got
"Logon failure: unknown user name or bad password."
I also read you can test anonymous access with the command
Net user \\ipc$ /u:"" ""
I executed this command while logged on to the DC and got "System error
67 has occurred." I wasn't sure if this command was actually valid so I
retried with a slight modification
Net user \\localhost\ipc$ /u:"" ""
This time I got "The command completed successfully.
So the question is, is anonymous access still enabled or do I need to do
something further to disable it? Thanks for your help.
Curt
~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~
~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~
