Security Focus: Check Active Directory for Anonymous Access

In Active Directory there's a little-loved, all-but-forgotten, built-in group that needs attention!

Pre-Windows 2000 Compatible Access

This group is a 'backward compatibility group which allows read access on all users and groups in the domain'. Now, when you enable pre-Windows 2000 compatibility, the special identity ANONYMOUS LOGON is added as a member of the group. This means that anything that can access your network can read details of the domain root, users, computers and groups.

We advise checking the membership of this group on a regular basis. Here's some PowerShell to help out:

$Pre_Windows_2000_Compatible_Access = "S-1-5-32-554"

$Anonymous_Logon = "S-1-5-7"

Get-ADGroupMember -Identity $Pre_Windows_2000_Compatible_Access | Where-Object {$_.SID -eq $Anonymous_Logon}

I decided to use the security identifiers (SIDs) of the objects in my search and checks. These are well-know objects SIDs that don't change from domain to domain. The SIDs were assigned to 'human-readable' variables. Here's what happens when I run the above example in one of my domains:

Here we have 'ANONYMOUS LOGON' as a group member. If pre-Windows 2000 compatibility is no longer required (one hopes not!) then it's time to remove the offending member from the group.