UCF STIG Viewer Logo

The Everyone and Anonymous Logon groups must be removed from the Pre-Windows 2000 Compatible Access group.


Overview

Finding ID Version Rule ID IA Controls Severity
V-8547 AD.0220 SV-9044r1_rule ECAN-1 ECCD-1 ECCD-2 Medium
Description
The Pre-Windows 2000 Compatible Access group was created to allow Windows NT domains to interoperate with AD domains by allowing unauthenticated access to certain AD data. The default permissions on many AD objects are set to allow access to the Pre-Windows 2000 Compatible Access group. Implementation in a Windows forest in which Windows NT domain controllers are still deployed could result in operational problems including denied access to authorized users. When the Everyone or Anonymous Logon groups are members of the Pre-Windows 2000 Compatible Access group, anonymous access to many AD objects is enabled. Anonymous access to AD data could provide valuable account or configuration information to an intruder trying to determine the most effective attack strategies.
STIG Date
Active Directory Domain Security Technical Implementation Guide (STIG) 2014-04-01

Details

Check Text ( C-7706r1_chk )
1. Start the Active Directory Users and Computers console (Start, Run, “dsa.msc”).

2. Select and expand the left pane item that matches the name of the domain being reviewed and perform the following:
a. Select the Builtin item.
b. Double-click the Pre-Windows 2000 Compatible Access group and select the Members tab.

3. If the Anonymous Logon group or Everyone group is a member of the Pre-Windows 2000 Compatible Access group, then this is a finding.
Fix Text (F-8067r1_fix)
Remove the Everyone and Anonymous Logon groups from the Pre-Windows 2000 Compatible Access group.