The RestrictAnonymous registry key controls the level of enumeration granted to an anonymous user. If RestrictAnonymous is set to 0 (that is, the default setting), any user can obtain system information, including: user names and details, account policies, and share names. Anonymous users can use this information in an attack against your system. The list of user names and share names could help potential attackers identify who is an administrator, which computers have weak account protection, and which computers share information with the network.
Solution
To restrict anonymous connection from accessing this system information, change the RestrictAnonymous security settings. You can do this through the Security Configuration Manager snap-in (setting is defined in the Local Policies portion of the default security templates), or through a registry editor. You can change the registry key from 0 to 1 in Microsoft Windows NT 4.0, or from 0 to 1 or 2 in Windows 2000:
0 - None. Rely on default permissions
1 - Do not allow enumeration of Security Accounts Manager (SAM) accounts and names
2 - No access without explicit anonymous permissions (not available on Windows NT 4.0)
Caution: Before you set this value to 2, see article Q246261, "How to Use the RestrictAnonymous Registry Value in Windows 2000." It is recommended that you do not set this value to 2 on domain controllers. In addition, client machines with RestrictAnonymous set to 2 should not take on the role of master browser.
Additional Information
The RestrictAnonymous registry key controls the level of enumeration granted to an anonymous user. This key can be set to any of the following values:
0 - None. Rely on default permissions
1 - Do not allow enumeration of SAM accounts and names
2 - No access without explicit anonymous permissions (not available on Windows NT 4.0)
Restricting Information Available to Anonymous Logon Users (Q143474) (Windows NT 4.0)
How to Use the RestrictAnonymous Registry Value in Windows 2000 (Q246261)
⌐ 2002 Microsoft Corporation. All rights reserved.