The Pre-Windows 2000 Compatible Access group was created to allow Windows NT domains to interoperate with AD domains by allowing unauthenticated access to certain AD data. The default permissions on many AD objects are set to allow access to the Pre-Windows 2000 Compatible Access group.
Implementation in a Windows forest in which Windows NT domain controllers are still deployed could result in operational problems including denied access to authorized users.
When the Everyone or Anonymous Logon groups are members of the Pre-Windows 2000 Compatible Access group, anonymous access to many AD objects is enabled.
Anonymous access to AD data could provide valuable account or configuration information to an intruder trying to determine the most effective attack strategies.
1. Start the Active Directory Users and Computers console (Start, Run, “dsa.msc”).
2. Select and expand the left pane item that matches the name of the domain being reviewed and perform the following: a. Select the Builtin item. b. Double-click the Pre-Windows 2000 Compatible Access group and select the Members tab.
3. If the Anonymous Logon group or Everyone group is a member of the Pre-Windows 2000 Compatible Access group, then this is a finding.
Fix Text (F-8067r1_fix)
Remove the Everyone and Anonymous Logon groups from the Pre-Windows 2000 Compatible Access group.