I have a Windows 2008 R2 Domain Controller that continues to allow Anonymous Logons despite the following changes.
A GPO was created for local security polices:
- Network access: Allow anonymous SID/Name translation (Disabled)
- Network access: Do not allow anonymous enumeration of SAM accounts (Enabled)
- Network access: Do not allow anonymous enumeration of SAM accounts and shares (Enabled)
- Network access: Let Everyone permissions apply to anonymous users (Disabled)
- Network access: Named Pipes that can be accessed anonymously (Null)
- Network access: Restrict anonymous access to Named Pipes and Shares (Enabled)
- Network access: Shares that can be accessed anonymously (Null)
RestrictAnonymous = 1
restrictanonymoussam = 1
everyoneincludesanonymous = 0
NullSessionPipes = ""
NullSessionShares = ""
restrictnullsessaccess = 1
Executed the following commands:
net localgroup "Pre-Windows 2000 Compatible Access" everyone /delete
net localgroup "Pre-windows 2000 compatible access" "Anonymous logon" /delete
I used the following command to test : net use \\servername\IPC$ "" /user:""