Share via


Security Focus: Check Active Directory for Anonymous Access

In Active Directory there's a little-loved, all-but-forgotten, built-in group that needs attention!

Pre-Windows 2000 Compatible Access

 

This group is a 'backward compatibility group which allows read access on all users and groups in the domain'. Now, when you enable pre-Windows 2000 compatibility, the special identity ANONYMOUS LOGON is added as a member of the group. This means that anything that can access your network can read details of the domain root, users, computers and groups.

We advise checking the membership of this group on a regular basis. Here's some PowerShell to help out:

$Pre_Windows_2000_Compatible_Access = "S-1-5-32-554"

$Anonymous_Logon = "S-1-5-7"

Get-ADGroupMember -Identity $Pre_Windows_2000_Compatible_Access | Where-Object {$_.SID -eq $Anonymous_Logon}

 

I decided to use the security identifiers (SIDs) of the objects in my search and checks. These are well-know objects SIDs that don't change from domain to domain. The SIDs were assigned to 'human-readable' variables. Here's what happens when I run the above example in one of my domains:

 

Here we have 'ANONYMOUS LOGON' as a group member. If pre-Windows 2000 compatibility is no longer required (one hopes not!) then it's time to remove the offending member from the group.

Comments

  • Anonymous
    June 30, 2015
    Recent Releases and Announcements

    Cumulative Update #1 for SQL Server 2014 SP1

    https://support
  • Anonymous
    November 10, 2017
    Excellent tip Ian!!