|
Posted by Roger Abell [MVP] on February 14, 2007, 12:11 am
Please log in for more thread options >> On a Windows 2000 and Windows 2003 domain controller (maybe a different
>> answer for each?), when should you expect to see an Anonymous Logon in
>> the
>> security eventviewer as a normal occurrence?
>
> I should have qualified this question. Assume that all of the standard
> GPOs that forbid anonymous access and enumeration are enabled.
>
Hi Will,
That is a great question.
I do wish someone from Microsoft would give a definitive answer.
I will not speak to the Windows 2000 case, as that is old and was
evolved before much of the world, including Microsoft, had this as
an issue in focus.
For Windows 2003 as best as I can tell it is not possible to prevent
all anonymous logins, at least I have not found a way to do so. As
best I can tell, after one has latched down the system as far as the
visible settings allow, when one does still see the Anonymous Login
success message it is coming from the initial negotiation used to
discover the SSPI that is in common and may be used for the required
login. I could easily be wrong, but that has been my working hypothesis.
Roger
| 
XML Sitemap