I was reading this KB article and happened upon this sentence:

"This could cause undesired behavior because many Windows 2000 services, as
well as third-party programs, rely on anonymous access capabilities to
perform legitimate tasks."

I have a question: Who defines "legitimate?"

I ask the question because I deal daily with users running applications on
Windows 2000 as restricted users. I locked the network down tighter than a
hummingbird's suite, not because the users are idiots - I know they aren't,
but because they're human and they make mistakes. I don't want those
mistakes to break a working machine and waste two hours reinstalling the OS
and a mess of apps.[1] "Legitimate" to me means it can run without any
special attention to security settings, or at minimum only needs one-time
fixes to work as a restricted user, with MY security standards.

Then there's some ad-driven website's webmaster's defenition of "legitimate"
which includes installing software behind a visitor's back. I'm sorry, I
don't find that legitimate, regardless of what the site's terms of use say.
Deal with visitors running IE6 as a restricted user, or point me to your
competition. I'll be glad to not visit your site.

I routinely bounce otherwise very useful apps from this network because they
don't run as a Win2K restricted user, not even after being beaten into
submission by changing permissions here and there. Some of these things
could have saved man-hours of labour and hundreds of dollars in licensing.
But I instead recommend competing products, often produced by Microsoft
themselves (yes, The Beast of Redmond [2], whose designers supposedly don't
care about computer security) because their designers actually bothered to
test their software in a restricted environment.

Here we have Veritas saying their software requires a certain set of
settings to perform "legitimate" tasks, such as saving your neck from a
server failure with a good backup strategy. I would normally consider this
very legitimate. What I don't understand, is why Backup Exec 8.6, Designed
For Windows 2000 Server [3], wants to create a new user, make it a member of
"Domain Admins," grant it "Log on as a Service" and "Act as part of the
Operating System" rights, insists that you tell it this new account's
password and to have "Password Never Expires" turned on, and then relies on
some form of ANONYMOUS access capabilities after being granted all of these
mighty powers.

Please tell, oh worthy designers and tech supporters of Backup Exec for
Windows Servers: Who defines "Legitimate?"

Take your time. I don't expect an immediate answer. In fact, if I got one
I'd be very disappointed. Just remember I nearly bounced Backup Exec 8.6
until I found your "Restrict Anonymous Access" switch.

[1] Yes it really only takes ten minutes because I use Symantec Ghost. But
that's not the point.

[2] Copyright 1998 The Register. http://www.theregister.co.uk/

[3] [TM] Mircosoft Corporation, all rights reserved. :-p