Tech Tip: Protect your network against anonymous user logons

Learn how to protect your network against anonymous user logons.

By Mike Mullins

Whether they're viewing a Web page without entering a password or connecting to a Windows share through a null session, anonymous users are not required to enter a login credential for a network resource.

However, upgrading to Windows 2000 or XP doesn't remove this null session vulnerability that's inherent with Windows NT. You must judge for yourself whether this vulnerability is acceptable or unnecessary.

For example, you might want users to anonymously log on and log off for certain machines. This is certainly true of all public Web and FTP servers. But for the rest of your network, allowing anonymous login is a security risk that you need to lock down.

Are you vulnerable?

The first step is to figure out whether your organization is vulnerable and determine if anyone is exploiting this vulnerability.

If you're running a Web server, you should see numerous NT Authority/Anonymous Event ID 538 (Logoff) and 540 (Logon) entries in the security log of your event viewer. These entries are normal; your Web user account is proxying a request from a user to view Web pages.

However, you should not see NT Authority/Anonymous event ID 528 (Logon) Type 3 on your file servers and workstations. These events indicate that an anonymous user has successfully viewed or connected to a network share.

Closing this vulnerability is easy. You can secure your network either through Group Policy or via the local security policy on the machine.

Stop anonymous logons

In Windows 2000 Server and Windows Server 2003, you can disable anonymous logons using Active Directory and Group Policy. Follow these steps:

  1. In Group Policy, expand Computer Configuration, expand Windows Settings, expand Security Settings, and expand Local Policies.
  2. Select Security Options.
  3. Double-click Additional Restrictions For Anonymous Connections.
  4. Change the setting to Do Not Allow Enumeration Of SAM Accounts And Shares.

Or, you can make the change locally on a machine without using Group Policy. Follow these steps:

  1. Go to Start | Run.
  2. Enter secpol.msc in the Open text box, and click OK. This opens the Local Security Settings applet.
  3. Expand Local Policies, and select Security Options.
  4. In Windows 2000, double-click Additional Restrictions For Anonymous Connections, and change the setting to Do Not Allow Enumeration Of SAM Accounts And Shares.
  5. In Windows XP, double-click Network Access: Do Not Allow Anonymous Enumeration Of SAM Accounts And Shares, select Enabled, and click OK.

You've now protected your workstations and servers against anonymous user logons.

Final thoughts

Keep in mind that there are several situations in which you can't close this vulnerability, or network services to your users and connections between servers will fail.

One of these situations is if you're still running your domain in mixed mode. From a security perspective, this is just one more reason to get rid of your NT 4 machines and go native with Windows 2000/XP/2003.

For more in-depth information on this vulnerability and restrictions for when you can and can't implement this security fix, check out Microsoft Knowledge Base article 823659.

Mike Mullins has served as a database administrator and assistant network administrator for the U.S. Secret Service. He is a Network Security Administrator for the Defense Information Systems Agency.