Compaq Armada 7700 Armada 7700 and 7300 Pre-install Refresh - Page 7

WHITE PAPER (cont.) ... Feature Restricting Anonymous User Access Using a System Key To Strongly Encrypt Password Information New Win32 APIs and SDK for Service Pack 3 Description Windows NT has a feature where anonymous logon users can list domain user names and enumerate share names. Some customers who want enhanced security have requested the ability to optionally restrict this functionality. Service Pack 3 provides a mechanism for administrators to restrict the ability for anonymous logon users (also known as NULL session connections) to list account names and enumerate share names. In addition, Service Pack 3 has a feature that restricts anonymous logon users from connecting to the registry remotely. After Service Pack 3 is installed, anonymous users cannot connect to the registry and cannot read or write any registry data. Also, a new built-in group known as Authenticated Users is created when you install Service Pack 3. The Authenticated Users group is similar to the Everyone group, except for one important difference: anonymous logon users (or NULL session connections) are never members of the Authenticated Users group. For more information on these new features, including information on configuring the registry to restrict anonymous user access to list domain user names and enumerate share names, refer to the Microsoft Web site at http://www.microsoft.com/KB/Articles/Q143/4/74.htm. Service Pack 3 provides the capability to use strong encryption techniques to increase protection of account password information stored in the registry by the Security Account Manager (SAM). Windows NT stores user account information, including a derivative of the user account password, in a secure portion of the registry protected by access control and an obfuscation function. The account information in the registry is only accessible to members of the administrators group. Windows NT, like other operating systems, allows privileged users who are administrators access to all resources in the system. For users who require enhanced security, strong encryption of account password derivative information provides an additional level of security to prevent administrators from intentionally or unintentionally accessing password derivatives using registry programming interfaces. The strong encryption capability in Service Pack 3 is an optional feature. Strong encryption protects private account information by encrypting the password data using a 128-bit 11cryptographically random key, known as a password encryption key. Administrators may choose to implement strong encryption by defining a system key for Windows NT. To do this, administrators can run a utility called Syskey.exe. For more information on using Syskey.exe to configure a system key, refer to the Microsoft Web site at http://www.microsoft.com/KB/Articles/Q143/4/75.htm. Service Pack 3 includes several new APIs, including two Win32 APIs. To develop applications that take advantage of these new APIs, a Service Pack 3 SDK will be available on the Microsoft Web site at: http://www.microsoft.com/msdn/sdk. 11 128 bit security key technology is subject to United States export rules regulated by the International Traffic in Arms Regulations (ITAR, 22 CFR 120-130) of the U.S. State Department, Office of Defense Trade Controls. For this reason Service Pack 3 with 128 bit security key technology cannot be downloaded from the Microsoft Web site. For information on how to obtain the 128 bit security key version of Service Pack 3 refer to the Microsoft Web site at http://www.microsoft.com/NTServerSupport/Content/ServicePacks/Readme.htm#Obtain 7