4.7.10. NULL sessions restrictions settings in Windows XP and Windows Server 2003

Starting with Windows XP, EVERYONE does not contain ANONYMOUS LOGON, because the following security option, which sets the EveryoneIncludesAnonymous registry value, is disabled by default:

Network access: Let Everyone permissions apply to anonymous users (Disabled by default)

As a consequence, when permissions must allow anonymous accesses, they explicitely grant access to ANONYMOUS LOGON.

The RestrictAnonymous registry value still exists in Windows XP and Windows Server 2003 and corresponds to the following security option:

Network access: Do not allow anonymous enumeration of SAM accounts and shares (Disabled by default)

Given that this security option can either be disabled or enabled, it is easy to deduce that the only valid values for the RestrictAnonymous registry value in Windows XP and Windows Server 2003 are 0 or 1 (2 is not supported, contrary to Windows 2000).

Because of the EveryoneIncludesAnonymous registry value default setting in Windows XP and Windows Server 2003, RestrictAnonymous is not as important as it was in Windows 2000.