On computers that are running Windows, ACLs and SIDs
control access to resources. Each resource has an ACL that contains the SIDs of
all users and groups that have been granted or denied access to the
resource.
When users log on to a computer that is running Windows,
either interactively or over a network, they are issued an access token that
contains the SIDs of their user account, and of all the security groups that
the user account is a member of. When the user attempts to access a resource,
Windows checks the SIDs in the user's access token against those in the
resource's ACL. If the SIDs match, the user is granted access to the resource
that is specified in the ACL. If the SIDs do not match, the user is denied
access.
Anonymous users (users or services that access resources over
a network connection by using a null user account name, domain and password)
are automatically added to the Anonymous Logon built-in security group. In
earlier versions of Windows, members of the Anonymous Logon security group are
able to access many resources. In some cases, if administrators are not aware
that members of the Anonymous Logon security group are included as members of
the Everyone security group, anonymous users may be granted access to resources
that are only intended for authenticated users.
In Windows XP and
later, the Anonymous Logon security group has been removed from the Everyone
security group. This modification helps to limit the number of network
resources that are available by default to anonymous users, and to simplify
network administrators' control of anonymous user access. Because the Everyone
group no longer includes anonymous users, it is easier for administrators to
configure a secure system for the following reasons:
- The default ACLs on earlier versions of Windows
(particularly Windows NT 4.0) that enable the Everyone security group to access
resources, and potentially expose the site to attack, do not grant access to
anonymous users after the computer is upgraded to Windows XP.
- Anonymous users are not granted access to resources that
the administrator is unaware of.
- Anonymous users can be explicitly granted access to
specific resources through the clearly named Anonymous Logon security
group.
Note This security enhancement is present only on computers that are
running Windows XP or later. Therefore, only anonymous users that are
attempting to access resources that are hosted on computers that are running
Windows XP or later are affected.
Implementation
To
implement this security enhancement, you must change the contents of the access
token that is generated for anonymous users. In earlier versions of Windows,
the access token for anonymous users contained SIDs for:
- The Everyone security group
- The Anonymous Logon security group
- The logon type (usually Network)
In Windows XP and later, the Everyone security group has been
removed from the access token for anonymous users. Therefore, the access token
for anonymous users contains SIDs for:
- Anonymous Logon
- The logon type (usually Network)
When an anonymous user tries to access a resource on a computer
that is running Windows XP or later, the anonymous user is not granted
permissions or group memberships that are available to the Everyone security
group. The SID for the Everyone security group is present in the anonymous
user's access token.
Compatibility with earlier versions of Windows
Windows 2000 introduced a mechanism to change the recommended
strict security settings to security settings that granted some anonymous users
access to Active Directory objects that are required by services that are
running on earlier versions of the operating system. Because of the security
enhancement in Windows XP, there is a slight change to the way the Windows 2000
mechanism works.
Windows 2000 introduced stricter default security
settings than the security settings that were available in Windows NT 4.0 and
earlier versions of the operating system. To be compatible with services that
require anonymous access to certain domain data, Windows 2000 provided a way to
switch between high-security settings (the preferred configuration when
backward compatibility is not required) to backward compatible security
settings that grant anonymous users access as it is required by systems running
Windows NT 4.0 and earlier versions of Windows.
The Pre-Windows 2000
Compatible Access security group, that was introduced in Windows 2000, controls
this security choice. Backward compatibility is achieved on computers that are
running Windows 2000 by making the Everyone security group a member of the
Pre-Windows 2000 Compatible Access security group. You are able to configure
high-security settings by removing all members from the Pre-Windows 2000
Compatible Access group.
On Windows Server 2003 domain controllers,
the Everyone group no longer includes Anonymous Logon. Therefore, the backward
compatible settings require that both the Everyone and Anonymous Logon security
groups are members of the Pre-Windows 2000 Compatible Access group. To satisfy
this requirement, use either of the following methods:
- If you promote a computer that is running Windows Server
2003 to a domain controller by using the Active Directory Promotion Wizard
(Dcpromo.exe), click Permissions compatible with pre-Windows 2000
servers to add the Anonymous Logon and Everyone security groups to the
Pre-Windows 2000 Compatible Access security group.
- If you are upgrading a Windows 2000-based domain controller
to Windows Server 2003, the Anonymous Logon security group is added to the
Pre-Windows 2000 Compatible Access security group during the
upgrade. This occurs if the Everyone security group is already a member of the
Pre-Windows 2000 Compatible Access security group (indicating backward
compatibility settings).
You can manually switch between the backward compatible and
high-security settings on Active Directory objects by updating the membership
of the Pre-Windows 2000 Compatible Access security group by using the Active
Directory Users and Computers snap-in.
Compatibility with programs that work with Windows 2000
When you upgrade Windows 2000 to Windows XP, resources with ACLs
that grant access to the Everyone group (and not explicitly to the Anonymous
Logon group) are no longer available to anonymous users after the upgrade. In
most cases, this is an appropriate restriction on anonymous access. However,
you may need to permit anonymous access to these resources to support
pre-existing programs. In this case, you should explicitly add the Anonymous
Logon security group to the ACLs on the specific resources.
In some
situations, it might be difficult to determine which resource on the computer
that is running Windows XP you must grant anonymous access to. It may also be
difficult to modify the permissions on all of the necessary
resources.
In these situations, you may need to force the computer
that is running Windows XP to include the Anonymous Logon security group in the
Everyone security group. To support this functionality, Windows XP introduces a
new registry value,
EveryoneIncludesAnonymous. This value can be used to switch between the default Windows XP
behavior (the Everyone security group does not include the Anonymous Logon
security group) and the Windows 2000 behavior (the Everyone security group
includes the Anonymous Logon security group).
When the access token
for an anonymous user is built, if the
EveryoneIncludesAnonymous registry value is set to the value of
REG_DWORD 0x0, the local security authority (LSA) of the computer that is
running Windows XP does not include the SID of the Everyone security group in
the anonymous user's access token. This is the default setting.
If
the
EveryoneIncludesAnonymous registry value is set to the value of
REG_DWORD 0x1, the LSA includes the SID of the Everyone security group in the
anonymous user's access token.
To set the
EveryoneIncludesAnonymous registry value, use either of the following methods.
Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
322756 How to back up and restore the registry in Windows
- To set the EveryoneIncludesAnonymous registry value by using local security settings:
- Click Start, point to Programs, point to Administrative Tools, and then click either Local Security Policy or
Domain Security Policy (on domain controllers
only).
- Click Security Settings, double-click Local Policies, and then click Security Options.
- Right-click Let Everyone permissions apply to
anonymous users, and then click Properties.
- To enable anonymous users to be members of the Everyone
security group, click Enabled. To prevent the inclusion of the Everyone security group SID in
the anonymous user's access token (the Windows XP default), click Disabled.
- To set the EveryoneIncludesAnonymous registry value by
using Registry Editor:
- Click Start, click Run, type regedit, and then click OK.
- Locate and click the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
- Right-click EveryoneIncludesAnonymous, and then click Modify.
- To enable anonymous users to be members of the Everyone
security group, in the Value data box, type 1. To prevent the inclusion of
the Everyone security group SID in the anonymous user's access token (the
Windows XP default), in the Value data box, type 0.
- Quit Registry Editor.
Note This change can affect the following Windows-Based Technologies:
Com, Dcom, IIS, Message Queuing, and any other technology where anonymous
authentication is frequently employed.