If you're administering a Windows 2000 network and you are wondering how to set up your groups for various file and print permissions, among other things, keep in mind that the "anonymous user" or "null connection" is a member of the Everyone group. This means that a null session connection can do anything that the Everyone group is permitted to do, which is potentially very dangerous.
Generally speaking, if you are concerned about security, you should not be using the Everyone group in the first place and the anonymous account should be disabled, but if you must have the Everyone group and anonymous users, for some reason or another, allow access to resources only by explicitly authorizing groups you create. In other words, if you set your file server up to allow full access to the Everyone group, and then restrict individual directories to specific users and groups, then you are inviting trouble. A mistake here or there could easily allow someone to log in anonymously and cause havoc. It's better to restrict access to everyone and grant access only to specific users and groups.
While you should exercise the same caution with Microsoft's Windows XP version, fortunately, this bug, or feature, depending on how you want to look at it, is fixed in Windows XP. In Windows XP, the anonymous user is not part of the built-in Everyone group.
Thomas Alexander Lancaster IV is a consultant and author with over ten years experience in the
networking industry, focused on Internet infrastructure.
This was first published in January 2003