Issues That Occur After You Implement the Microsoft Baseline Security Analyzer Recommendations in SBS 2000 (323467)

MORE INFORMATION

Restrict Anonymous

WARNING: If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.

MBSA recommends that you complete the following task:

Set RestrictAnonymous=2 to ensure maximum security.

If you click How to correct this, you receive the following message in the Caution section:

It is recommended that you do not set this value to 2 on Domain Controllers in mixed-mode environments.

If you have applied either the Q299687 Windows 2000 security hotfix or the Q311401 Windows 2000 security rollup package to the SBS 2000 server and you set the RestrictAnonymous value to 2 in the registry, you may experience one or more of the following issues:

If you use a Microsoft Outlook client computer (that uses a Microsoft Exchange Server computer), you cannot look through the global address list or resolve names from the global address list. The global address list appears to be empty.
If you remove a mail profile from a client computer, you cannot reestablish a connection to the Exchange Server computer (to re-create the profile).
You cannot add a network printer by selecting it from the Active Directory. However, you can still add a network printer by selecting it from the tree view.

To resolve these issues, upgrade your SBS 2000-based server to Windows 2000 Service Pack 3 (SP3) or Small Business Server 2000 Service Pack 1 (SP1).

For additional information, click the article number below to view the article in the Microsoft Knowledge Base:

260910 How to Obtain the Latest Windows 2000 Service Pack

326924 How to Obtain Small Business Server 2000 Service Pack 1

Services

MBSA may send the following message:

Some potentially unnecessary services are installed.

If you click Result Details, MBSA displays the list of potentially unnecessary services that are installed. The following services may be listed:

Remote Access Connection Manager: This service is used to provide remote access connections like dial-up connections and virtual private networking (VPN) connections to the SBS 2000 server. If you stop, disable, or remove this service, you prevent users from accessing the server by using dial-up or VPN connections.
Simple Mail Transport Protocol (SMTP): Exchange 2000 uses this service to send and receive e-mail messages. If you stop, disable, or remove this service, you prevent the Exchange 2000 server from sending and receiving messages.
World Wide Web Publishing Service: This service is used to publish Web sites. If you stop, disable, or remove this service, you prevent users from accessing Web sites that are hosted on the SBS 2000 server including Microsoft Outlook Web Access (OWA) and My Console.

IIS Lockdown Tool

MBSA may send the following message:

The IIS Lockdown tool has not been run on the machine.

In Exchange 2000 environments, you cannot use the lockdown tool with Exchange 2000 installable file system (IFS) mounted drives (typically, drive M). To use the lockdown tool on Exchange 2000 servers, including SBS 2000 servers, see to the following Microsoft Knowledge Base article.

309508 XCCC: IIS Lockdown and URLscan Configurations in an Exchange Environment