Restrict Anonymous Users

Check Description

This check determines whether the RestrictAnonymous registry setting is used to restrict anonymous connections on the scanned computer.

Anonymous users can list certain types of system information, including user names and details, account policies, and share names. Users who want enhanced security can restrict this function so that anonymous users cannot access this information.

Additional Information

The RestrictAnonymous registry setting controls the level of enumeration that is granted to an anonymous user. You can set this to any of the following values:

0 - None. Rely on default permissions
1 - Do not allow enumeration of Security Accounts Manager (SAM) accounts and names
2 - No access without explicit anonymous permissions (not available on Windows NT 4.0

It is not recommended to set RestrictAnonymous to 2 on Domain Controllers unless they are in pure Windows 2000 environments and have been tested for application compatibility. Please refer to the Knowledge Base articles below for more details on configuring RestrictAnonymous on Domain Controllers.

Note: In Windows XP there is a new registry setting (EveryoneIncludesAnonymous) that controls whether permissions given to the the built-in Everyone group apply to anonymous users. By default, permissions granted to the Everyone group do not apply to anonymous users in Windows XP, which therefore provides the same level of anonymous user restrictions as the RestrictAnonymous setting in previous Windows operating systems.

Additional Resources

Restricting Information Available to Anonymous Logon Users (Q143474) (Windows NT 4.0)

How to Use the RestrictAnonymous Registry Value in Windows 2000 (Q246261)