Hello, I'm considering making the following reg changes on my 2003, 2008, and 2008R2 servers: Modify the registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\ with the following values: Value Name: RestrictAnonymous Data Type: REG_DWORD Data Value: 1 Value Name: RestrictAnonymousSAM Data Type: REG_DWORD Data Value: 1 Value Name: EveryoneIncludesAnonymous Data Type: REG_DWORD Data Value: 0 and set the following value to 0 (or, alternatively, delete it): Value Name: TurnOffAnonymousBlock Data Type: REG_DWORD Data Value: 0 Modify the registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\ with the following values: Value Name: RestrictNullSessAccess Data Type: REG_DWORD Data Value: 1 Value Name: NullSessionPipes Data Type: REG_MULTI_SZ Data Value: "" (empty string, without quotes) Open Local Security Settings, and disable the following setting: Security Settings -> Local Policies -> Security Options -> Network access: Allow anonymous SID/Name translation: Disabled In general, I know the RistrictAnonymous and related settings will break several things for old NT4 downlevel clients and domains, and also break the 'browser' service, and so any apps relying on the browser service. Anything else? and barring third party apps, what does this really mean for the OS operations when there are no NT4 boxes to consider? Will there be any issues on 2003, 2008, 2008R2 with things like IIS, SMTP, and SQL Server? I realize the best/only way to be sure is to test, but I don't really have an exact configuration to test, looking for more general if/then/else stuff here... What I'm doing now is trying to get info to determine the likelihood these settings can safely be included in 'base' installs for servers, that typically will become web and/or database servers (IIS/SQL Server), but may wind up being configured for any other roles... so another way I'm looking at it is, if I include these settings in my base installs, how often might they need to be changed in order to get other, less typical roles working, with 'less typical' for me meaning not an IIS/SMTP or SQL Server? so there is my discussion orienting info, and here are the 2 specific categories I'm hoping to get some discussion going on: 1. known issues/problems with these settings related to IIS, SMTP, SQL Server 2. theoretically speaking, examples of possible effects of these settings on anything in 2003/2008/2008R2 based systems any input would be appreciated, thanks!

I know this is an older post, but did you make this change? What were the effects? I am considering the same.

I always do like that, but through Group Policy (Security Options). No side effects. Null sessions may be required to establish trusts between domains. I have not experienced any bad consequences to IIS, SMTP, SQL.MCITP: Enterprise Administrator; MCT; Microsoft Security Trusted Advisor; CCNA