Prevent anonymous logons by using Group Policy objects (GPOs)

Policy | objects

Microsoft has always relied on anonymous logins to allow computers and service programs to establish open communication with other computers. However, these anonymous logins are not secure. An attacker can access information that is secure to the relationship using anonymous logons in the Windows computer. But with Group Policy objects (GPOs), you can protect your Windows computer and restrict anonymous logons.

Scope of protection

Once an attacker has logged on to your computer anonymously, it is fairly easy to access a lot of information about security. With anonymous logons, an attacker can gather the following information:

The list of users in your computer, include Active Directory in your computer group list, including Active Directory user account security ID (SIDs) security identity of the user account in your computer share list in your computer account policy in your computer NetBIOS name related to your computer domain name A list of domains that your domain trusts

To protect critical security information against anonymous logons, you should use a Group Policy object. Microsoft has changed the level of protection in Windows 2000 and Windows xp/2003 environments.

To prevent anonymous logons in Windows 2000 computers, you should configure the GPO with the following:

My Computer-Configure windows-security Settings-Local Security policy settings-additional options-Restrict anonymous logons

Ideally, you would configure it to "Prohibit access except with a clear anonymous license." "However, this affects clients and applications that need to communicate with your Windows 2000 computer." After you have tested this setting, you will find it necessary to reset the settings to "prohibit the enumeration of SAM accounts and shares." ”

To protect Windows XP and Server 2003 computers, the following configuration is made to the same node in the GPO:

Network access: Allows anonymous sid/name conversions. This prevents some tools from grabbing a name-based SID. You should set it to "invalid". Network access: Use Everyone permissions for anonymous users. This prevents anonymous logons from accessing all the resources accessible to the Everyone group. Set it to "invalid". Network access: Disables anonymous enumeration of storage area management (SAM) accounts. This prevents the list of users and groups in the SAM directory (or Active Directory) from being enumerated. Set it to allow. Network access: Anonymous enumeration of SAM accounts and shares is prohibited. This prevents users and groups from being listed in the SAM directory, and the shared list in the computer. Set it to allow.

Anonymous logins are easy to set up, giving attackers access to too much information. You need to protect your computer to ensure a stable and secure environment. With GPOs, you can protect your clients and servers without having to manage the operating system you use. After testing and performing anonymous login protection, you can do the next step: Protect your network.