The Anonymous Logon and Everyone groups must not be members of the Pre-Windows 2000 Compatible Access group.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-8547	AD.0220	SV-9044r3_rule	ECAN-1 ECCD-1 ECCD-2	Medium

Description
The Pre-Windows 2000 Compatible Access group was created to allow Windows NT domains to interoperate with AD domains by allowing unauthenticated access to certain AD data. The default permissions on many AD objects are set to allow access to the Pre-Windows 2000 Compatible Access group. When the Anonymous Logon or Everyone groups are members of the Pre-Windows 2000 Compatible Access group, anonymous access to many AD objects is enabled. Anonymous access to AD data could provide valuable account or configuration information to an intruder trying to determine the most effective attack strategies.

Description

The Pre-Windows 2000 Compatible Access group was created to allow Windows NT domains to interoperate with AD domains by allowing unauthenticated access to certain AD data. The default permissions on many AD objects are set to allow access to the Pre-Windows 2000 Compatible Access group. When the Anonymous Logon or Everyone groups are members of the Pre-Windows 2000 Compatible Access group, anonymous access to many AD objects is enabled. Anonymous access to AD data could provide valuable account or configuration information to an intruder trying to determine the most effective attack strategies.

STIG	Date
Active Directory Domain Security Technical Implementation Guide (STIG)	2016-02-19

Details

Check Text ( C-66411r2_chk )
Open "Active Directory Users and Computers" (available from various menus or run "dsa.msc"). Expand the domain being reviewed in the left pane and select the "Builtin" container. Double-click on the "Pre-Windows 2000 Compatible Access" group in the right pane. Select the "Members" tab. If the "Anonymous Logon" or "Everyone" groups are members, this is a finding. (By default, these groups are not included in current Windows versions.)

Check Text ( C-66411r2_chk )

Open "Active Directory Users and Computers" (available from various menus or run "dsa.msc").
Expand the domain being reviewed in the left pane and select the "Builtin" container.
Double-click on the "Pre-Windows 2000 Compatible Access" group in the right pane.
Select the "Members" tab.

If the "Anonymous Logon" or "Everyone" groups are members, this is a finding.
(By default, these groups are not included in current Windows versions.)

Fix Text (F-71799r1_fix)
Ensure the "Anonymous Logon" and "Everyone" groups are not members of the "Pre-Windows 2000 Compatible Access group". (By default, these groups are not included in current Windows versions.) Open "Active Directory Users and Computers" (available from various menus or run "dsa.msc"). Expand the domain being reviewed in the left pane and select the "Builtin" container. Double-click on the "Pre-Windows 2000 Compatible Access" group in the right pane. Select the "Members" tab. If the "Anonymous Logon" or "Everyone" groups are members, select each and click "Remove".

Fix Text (F-71799r1_fix)

Ensure the "Anonymous Logon" and "Everyone" groups are not members of the "Pre-Windows 2000 Compatible Access group". (By default, these groups are not included in current Windows versions.)

Open "Active Directory Users and Computers" (available from various menus or run "dsa.msc").
Expand the domain being reviewed in the left pane and select the "Builtin" container.
Double-click on the "Pre-Windows 2000 Compatible Access" group in the right pane.
Select the "Members" tab.
If the "Anonymous Logon" or "Everyone" groups are members, select each and click "Remove".