Windows NT Anonymous User Connections

by Wayne Maples [Published on 20 April 2004 / Last Updated on 20 April 2004]

Red Button access attack uses Anonymous User Connections , also called Null User Connection, to discover which account is the administrative account and what the network shares are. You can disable this discovery by preventing anonymous connections to domains using the following Windows NT registry hack. Caution: this can have severe consequences on sql server access and creating / maintaining domain trusts.

Hive: HKEY_LOCAL_MACHINE
Key: SYSTEM\CurrentControlSet\Control\Lsa
Name: RestrictAnonymous
Type: REG_DWORD
Value: 1

Windows 2000 has the same setting and adds the value of 2 which is much more restrictive. Its so restrictive, it does not seem viable in anything but a pure W2K environment - no NT4, no - Mac clients. See kb article Q246261. Related:
Q143474 - Restricting Information Available to Anonymous Logon Users
Q184018 - NDS for NT does not support restrict anonymous connections
Q168464 - Directory Replication Fails with Event ID 3216
Q246261 - How to Use the RestrictAnonymous Registry Value in Windows 2000

See Also

Featured Links