On computers running Microsoft® Windows Server® 2008 R2, Windows® 7, Windows Server® 2008, Windows Vista®, Windows Server® 2003, and Windows XP operating systems, the Everyone group no longer includes anonymous users by default. This change reduces the number of network resources available by default to anonymous users and simplifies how network administrators can control access by anonymous users.

Implications of limiting anonymous access

With the default denial of anonymous user access, it is easier for administrators to configure a secure system.

The default access control lists (ACLs) on earlier versions of Windows that granted the Everyone group access to resources, and potentially exposed them to attack, no longer grant this access to anonymous users after the computer has been upgraded to the Windows Server 2008, Windows Vista, or later Windows operating systems.

Anonymous users cannot accidentally be granted access to resources as in the past, when administrators may not have been aware that anonymous users were included in the Everyone group.

This change affects anonymous users who are attempting to access resources hosted on computers running Windows Server 2008 R2, Windows 7, Windows Server 2008, Windows Vista, Windows Server 2003, and Windows XP. When a Windows 2000-based system is upgraded to any of these operating systems, resources with ACLs that grant access to everyone (and not explicitly to Anonymous Logon), are no longer available to anonymous users after the upgrade. In most cases, this is an appropriate restriction of anonymous access.

You can still allow anonymous access to selected shared directories and files by adding the Anonymous Logon group to the discretionary access control lists (DACLs) that protect those resources. In addition, you should grant the Bypass Traverse Checking user right to the Anonymous Logon group. For more information, see Bypass traverse checking for anonymous users.

In some situations, it may be difficult to determine which resources must grant anonymous access, or to modify the permissions on all the necessary resources. If so, you can configure Windows Server 2008 R2, Windows 7, Windows Server 2008, Windows Vista, Windows Server 2003, and Windows XP to permit anonymous access by the Everyone group. For more information, see Allow anonymous access by the Everyone group.

Bypass traverse checking for anonymous users

The procedure in this section applies to Windows 7 and Windows Vista.

To bypass traverse checking for anonymous users
  1. Click Start, type gpedit.msc in the Start Search text box, and then press ENTER.

  2. In the Local Group Policy Editor console tree, open Computer Configuration, open Windows Settings, open Security Settings, open Local Policies, and then click User Rights Assignment.

  3. In the details pane, right-click Bypass traverse checking, and then click Properties.

  4. Click Add User or Group.

  5. In the Select Users, Computers, or Groups dialog box, in the Enter the object names to select box, type Anonymous Logon.

  6. Click Check Names to verify that your entry is valid, and then click OK.

    Note

    There is no command-line method for this procedure.

Allow anonymous access by the Everyone group

The procedure in this section applies to Windows 7 and Windows Vista.

To allow anonymous access by the Everyone group
  1. Click Start, type gpedit.msc in the Start Search text box, and then press ENTER.

  2. In the Local Group Policy Editor console tree, open Computer Configuration, open Windows Settings, open Security Settings, open Local Policies, and then click Security Options.

  3. In the details pane, right-click Network access: Let Everyone permissions apply to anonymous users, and then click Properties.

  4. To allow permissions that are applied to the Everyone group to apply to anonymous users, click Enabled.

    - or -

    To prevent permissions that are applied to the Everyone group from applying to anonymous users, click Disabled.

  5. Click OK.

    Note

    There is no command-line method for this procedure.