Microsoft KB Archive/323467

= Issues that occur after you implement the Microsoft Baseline Security Analyzer recommendations in SBS 2000 =

Article ID: 323467

Article Last Modified on 10/30/2006

-

APPLIES TO


 * Microsoft Small Business Server 2000 Standard Edition

-



This article was previously published under Q323467



Important This article contains information about how to modify the registry. Make sure to back up the registry before you modify it. Make sure that you know how to restore the registry if a problem occurs. For more information about how to back up, restore, and modify the registry, click the following article number to view the article in the Microsoft Knowledge Base:

256986 Description of the Microsoft Windows registry



SUMMARY
This article describes some of the issues that may occur after you implement the recommendations made by Microsoft Baseline Security Analyzer (MBSA) on a computer that is running Small Business Server (SBS) 2000.



Restrict Anonymous
Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall your operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.

MBSA recommends that you complete the following task:

Set RestrictAnonymous=2 to ensure maximum security.

If you click How to correct this, you receive the following message in the Caution section:

It is recommended that you do not set this value to 2 on Domain Controllers in mixed-mode environments.

If you have applied either the Q299687 Windows 2000 security hotfix or the Q311401 Windows 2000 security rollup package to the SBS 2000 server and you set the RestrictAnonymous value to 2 in the registry, you may experience one or more of the following issues:
 * If you use a Microsoft Outlook client computer (that uses a Microsoft Exchange Server computer), you cannot look through the global address list or resolve names from the global address list. The global address list appears to be empty.
 * If you remove a mail profile from a client computer, you cannot reestablish a connection to the Exchange Server computer (to re-create the profile).
 * You cannot add a network printer by selecting it from the Active Directory. However, you can still add a network printer by selecting it from the tree view.

To resolve these issues, upgrade your SBS 2000-based server to Windows 2000 Service Pack 4 (SP4) or Small Business Server 2000 Service Pack 1a (SP1a).

For more information, click the following article number to view the article in the Microsoft Knowledge Base:

260910 How to obtain the latest Windows 2000 service pack

How to obtain Small Business Server 2000 Service Pack 1a

326924 How to obtain Small Business Server 2000 Service Pack 1a

Services
MBSA may send the following message:

Some potentially unnecessary services are installed.

If you click Result Details, MBSA displays the list of potentially unnecessary services that are installed. The following services may be listed:
 * Remote Access Connection Manager: This service is used to provide remote access connections like dial-up connections and virtual private networking (VPN) connections to the SBS 2000 server. If you stop, disable, or remove this service, you prevent users from accessing the server by using dial-up or VPN connections.
 * Simple Mail Transport Protocol (SMTP): Exchange 2000 uses this service to send and receive e-mail messages. If you stop, disable, or remove this service, you prevent the Exchange 2000 server from sending and receiving messages.
 * World Wide Web Publishing Service: This service is used to publish Web sites. If you stop, disable, or remove this service, you prevent users from accessing Web sites that are hosted on the SBS 2000 server including Microsoft Outlook Web Access (OWA) and My Console.

IIS Lockdown Tool
MBSA may send the following message:

The IIS Lockdown tool has not been run on the machine.

In Exchange 2000 environments, you cannot use the lockdown tool with Exchange 2000 installable file system (IFS) mounted drives (typically, drive M). To use the lockdown tool on Exchange 2000 servers, including SBS 2000 servers, see to the following Microsoft Knowledge Base article.

309508 XCCC: IIS Lockdown and URLscan Configurations in an Exchange Environment

