Guest OM Posted November 3, 2008 Posted November 3, 2008 Our Securiyt team is recommending to setup below settings on Domain Controller under Local Security Settings. Has any one set below setting on Domain Controller and experienced any issues? Any cons setting up these settings on Domain Controller? Local Security Settings: Network access: Do not allow anonymous enumeration on SAM accounts=Enabled. Network access: Do not allow anonymous enumeration on SAM accounts and Shares=Disabled. Quote
Guest Steve Riley [MSFT] Posted November 10, 2008 Posted November 10, 2008 There is more information on these settings here: http://support.microsoft.com/kb/823659 You're a bit unclear about which computers you're considering changing. The "accounts" policy is enabled by default on clients, disabled on servers, and has no effect on domain controllers. The "accounds and shares" policy is disabled by default on all machines. -- Steve Riley steve.riley@microsoft.com http://blogs.technet.com/steriley Protect Your Windows Network: http://www.amazon.com/dp/0321336437 "OM" <OM@discussions.microsoft.com> wrote in message news:C86E0C78-30D6-43D9-A258-D3E66ADABFDF@microsoft.com...<span style="color:blue"> > Our Securiyt team is recommending to setup below settings on Domain > Controller under Local Security Settings. Has any one set below setting on > Domain Controller and experienced any issues? Any cons setting up these > settings on Domain Controller? > > Local Security Settings: > Network access: Do not allow anonymous enumeration on SAM > accounts=Enabled. > Network access: Do not allow anonymous enumeration on SAM accounts and > Shares=Disabled. </span> Quote
Guest OM Posted November 10, 2008 Posted November 10, 2008 Changing these two settings on actual Domain Controller server. This is part of the OTS requirement and they are asking us to make changes on Domain Controller Server locally. I thought someone must have already apply these two settings on domain controller server locally and seen any issues. Thanks "Steve Riley [MSFT]" wrote: <span style="color:blue"> > There is more information on these settings here: > http://support.microsoft.com/kb/823659 > > You're a bit unclear about which computers you're considering changing. > > The "accounts" policy is enabled by default on clients, disabled on servers, > and has no effect on domain controllers. The "accounds and shares" policy is > disabled by default on all machines. > > -- > Steve Riley > steve.riley@microsoft.com > http://blogs.technet.com/steriley > Protect Your Windows Network: http://www.amazon.com/dp/0321336437 > > > > "OM" <OM@discussions.microsoft.com> wrote in message > news:C86E0C78-30D6-43D9-A258-D3E66ADABFDF@microsoft.com...<span style="color:green"> > > Our Securiyt team is recommending to setup below settings on Domain > > Controller under Local Security Settings. Has any one set below setting on > > Domain Controller and experienced any issues? Any cons setting up these > > settings on Domain Controller? > > > > Local Security Settings: > > Network access: Do not allow anonymous enumeration on SAM > > accounts=Enabled. > > Network access: Do not allow anonymous enumeration on SAM accounts and > > Shares=Disabled. </span> > </span> Quote
Guest Steve Riley [MSFT] Posted November 12, 2008 Posted November 12, 2008 As I said, the "accounts" policy has no effect on domain controllers. The "accounts and shares" policy already defaults to what your security team recommends. -- Steve Riley steve.riley@microsoft.com http://blogs.technet.com/steriley Protect Your Windows Network: http://www.amazon.com/dp/0321336437 "OM" <OM@discussions.microsoft.com> wrote in message news:BF9F67F5-51B6-45C2-AA72-BB48CE6925A8@microsoft.com...<span style="color:blue"> > Changing these two settings on actual Domain Controller server. This is > part > of the OTS requirement and they are asking us to make changes on Domain > Controller Server locally. > I thought someone must have already apply these two settings on domain > controller server locally and seen any issues. > > Thanks > > > "Steve Riley [MSFT]" wrote: ><span style="color:green"> >> There is more information on these settings here: >> http://support.microsoft.com/kb/823659 >> >> You're a bit unclear about which computers you're considering changing. >> >> The "accounts" policy is enabled by default on clients, disabled on >> servers, >> and has no effect on domain controllers. The "accounds and shares" policy >> is >> disabled by default on all machines. >> >> -- >> Steve Riley >> steve.riley@microsoft.com >> http://blogs.technet.com/steriley >> Protect Your Windows Network: http://www.amazon.com/dp/0321336437 >> >> >> >> "OM" <OM@discussions.microsoft.com> wrote in message >> news:C86E0C78-30D6-43D9-A258-D3E66ADABFDF@microsoft.com...<span style="color:darkred"> >> > Our Securiyt team is recommending to setup below settings on Domain >> > Controller under Local Security Settings. Has any one set below setting >> > on >> > Domain Controller and experienced any issues? Any cons setting up these >> > settings on Domain Controller? >> > >> > Local Security Settings: >> > Network access: Do not allow anonymous enumeration on SAM >> > accounts=Enabled. >> > Network access: Do not allow anonymous enumeration on SAM accounts and >> > Shares=Disabled.</span> >> </span></span> Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.