Anonymous users can list certain types of system
information, including user names and details, account policies, and share names.
Users who want enhanced security can restrict this function so that anonymous users cannot access
this information.
0 - None. Rely on default permissions
1 - Do not allow enumeration of Security Accounts Manager (SAM) accounts and names
2 - No access without explicit anonymous permissions (not available on
Windows NT 4.0)
It is not recommended to set
RestrictAnonymous to 2 on Domain Controllers
or on Small Business Servers (SBS)
unless they are in pure Windows 2000 environments and have been tested for
application compatibility. Please refer to the Knowledge Base articles
below for more details on configuring RestrictAnonymous
on Domain Controllers and Windows 2000
environments to understand potential compatibility issues when using this
setting.
Note: In Windows XP there is a new registry setting (EveryoneIncludesAnonymous)
that controls whether permissions given to the the built-in Everyone group apply
to anonymous users. By default, permissions granted to the Everyone group do not
apply to anonymous users in Windows XP, which therefore provides the same level
of anonymous user restrictions as the RestrictAnonymous setting in previous
Windows operating systems.
Restricting Information Available to Anonymous Logon Users (Q143474) (Windows NT 4.0)
How to Use the RestrictAnonymous Registry Value in Windows 2000 (Q246261)
Additional Information
The RestrictAnonymous registry setting controls the
level of enumeration that is granted to an anonymous user. You can set
this to
any of the following values:
Additional Resources
© 2002 Microsoft Corporation. All rights reserved.