Anonymous Enumeration: a serious threat to Active Directory

Hello

I'm trying to test Windows 2003 security. I've set up an Active Directory
and subjected it to non-firewalled access from internet to see how it would
survive.
Some policies i set up:

Network access: Allow anonymous SID/Name translation Disabled
Network access: Do not allow anonymous enumeration of SAM accounts
Enabled
Network access: Do not allow anonymous enumeration of SAM accounts and
shares Enabled
Network access: Let Everyone permissions apply to anonymous users
Disabled
Network access: Restrict anonymous access to Named Pipes and Shares
Enabled


BUT: to my shocking revolution I found out it could enumerate data from my
active directory despite this.

MY QUESTION: How can i protect my Active Directory from Anonymous
Enumeration?

The logentry is included:

Event Type: Success Audit
Event Source: Security
Event Category: Directory Service Access
Event ID: 565
Date: 2003-11-08
Time: 21:00:08
User: NT AUTHORITY\ANONYMOUS LOGON
Computer: <My Computer>
Description:
Object Open:
Object Server: Security Account Manager
Object Type: SAM_SERVER
Object Name: CN=Server,CN=System,DC=<Mydomain>,DC=<MyD>,DC=<TLD >
Handle ID: 51442368
Operation ID: {0,1796199}
Process ID: 572
Process Name: C:\WINDOWS\system32\lsass.exe
Primary User Name: SALLY$
Primary Domain: <My Domain>
Primary Logon ID: (0x0,0x3E7)
Client User Name: ANONYMOUS LOGON
Client Domain: NT AUTHORITY
Client Logon ID: (0x0,0x1B6671)
Accesses: READ_CONTROL
InitializeServer
EnumerateDomains
Undefined Access (no effect) Bit 7

Privileges: -

Properties:
---
samServer

Access Mask: 0




Regards
Eric
(Remove the fast cat to mail me!)

Eric Anderson