Question on - Network Access: Do not allow anonymous enumeration of SAM accounts and shares

[Guest Spin]

Gurus,

 

How much of a security risk are these Windows security settings pose if they

are allowed? I am not looking for a security exposition, just a few quick

thoughts?

 

Network Access: Allow anonymous SID/Name translation

Network Access: Do not allow anonymous enumeration of SAM accounts

Network Access: Do not allow anonymous enumeration of SAM accounts and

shares

 

--

Spin

[Guest Roger Abell [MVP]]

Only you can assess risk based on context of the machines.

Those settings only very rarely need to be set to allow these

things to anonymous. All your accounts can do those things

regardless of the settings.

So, based on context of machines you need to answer:

What risk is posed by allowing anyone that can connect via

the network the ability to discover my defined shares and

principals' (accounts, groups, joined computer) names, and

even the account and group SIDs that would not change when

these are renamed (such as done during response to penetration).

If your machines are not networked the risk is minimal, while

if live and naked on the internet then you would be needlessly

providing much info about your system (shares - where to

attempt logins distributed across multiple security event logs;

principals - what names to use; group - which are admins; etc.)

to anyone anywhere.

Roger

 

 

"Spin" <Spin@invalid.com> wrote in message

news:65k5gvF2efhc2U1@mid.individual.net...<span style="color:blue">

> Gurus,

>

> How much of a security risk are these Windows security settings pose if

> they are allowed? I am not looking for a security exposition, just a few

> quick thoughts?

>

> Network Access: Allow anonymous SID/Name translation

> Network Access: Do not allow anonymous enumeration of SAM accounts

> Network Access: Do not allow anonymous enumeration of SAM accounts and

> shares

>

> --

> Spin

>

>

>

>

>

>

> </span>