Eliminate Anonymous Connections to Domain Controllers
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
After you upgrade all the servers in the domain hosting services that run as Local System and use Anonymous or null credentials when accessing a domain controller, such as Windows NT 4.0 RAS servers, remove the Everyone and Anonymous Logon groups from the Pre-Windows 2000 Compatible Access built-in group. This task increases the security of your domain by preventing anonymous connections to domain controllers.
To remove groups from the Pre-Windows 2000 Compatible Access Group using the command line
At a command prompt, type:
net localgroup “Pre-Windows 2000 Compatible Access” GroupName /delete
When using the net localgroup command to add or delete any group or group member name that includes spaces, such as the Anonymous Logon group, you must enclose the group name in quotation marks.