How to block anonymous viewing of user and share names

It is possible to restrict the ability to list domain user names and enumerate share names available to anonymous logon users (also known as NULL session connections). If you feel this is a security risk, Windows NT 4.0 with Service Pack 3 or later introduced a new option to stop anonymous users listing users and shares. I didn't discover this until I found that I was experiencing hacker login attempts. The hacker enumerated every one of my user accounts and tried to guess the passwords. His program kept trying even after the account was locked out due to too many failed attempts. I was stunned that even with my tight firewall that anonymous persons out on the internet could get a list of all my user accounts! The information below will allow you to block this access, of course, as long as this does not interfere with the functions needed on your server.

Excerpts from http://support.microsoft.com/kb/q143474/
KB 143474
Restricting information available to anonymous logon users

Windows NT has a feature where anonymous logon users can list domain user names and enumerate share names. Customers who want enhanced security have requested the ability to optionally restrict this functionality. Windows NT 4.0 Service Pack 3 provide a mechanism for administrators to restrict the ability for anonymous logon users (also known as NULL session connections) to list account names and enumerate share names.

1. Run Registry Editor (Regedt32.exe).
2. Go to the following key in the registry:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA
3. On the Edit menu, click Add Value and use the following entry:
Value Name: RestrictAnonymous
Data Type: REG_DWORD
Value: 1
4. Exit the Registry Editor and restart the computer for the change to take effect.

Note: Remote access to the registry may still be possible after you follow the steps in this article if the RestrictNullSessAccess registry value has been created and is set to 0. This value allows remote access to the registry by using a null session. The value overrides other explicit restrictive settings.

Thanks to [color purple]BadDog[/color] for discovering this problem before I did. See thread55-911230.

On a side point, some years ago we moved certain of the powerful Windows commands out of [color purple]C:\WinNT\System32[/color] directory. I think at one time Microsoft had made an extensive list of utilities or commands that should be moved to another directory so that internet-based scanning and hacking couldn't start them up and view, copy or damage my data. For example, I remember my logs from a couple years ago always shows scanning where someone or something out there was trying to run [color purple]boot.exe[/color] and [color purple]cmd.exe[/color]. But I had already created a directory and moved those executables and others such as edit, fdisk, format, etc.