Skip navigation

Understanding the Anonymous Enumeration Policies

What's the difference between the Network access: Do not allow anonymous enumeration of SAM accounts policy and the Network access: Do not allow anonymous enumeration of SAM accounts and shares policy that I see in Group Policy Objects (GPOs) that appear under Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options when I'm logged on at a Windows Server 2003 or Windows XP computer?

Welcome to the confusing world of Microsoft naming techniques. The Network access: Do not allow anonymous enumeration of SAM accounts and shares policy should be Network access: Do not allow anonymous enumeration of shares. Network access: Do not allow anonymous enumeration of SAM accounts and shares controls the RestrictAnonymous registry value in the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa registry subkey. On Windows 2003 and XP systems, RestrictAnonymous simply controls whether anonymous connections (aka null sessions) can obtain a list of shared folders from the computer. RestrictAnonymous also exists on Windows 2000 Server and is set by the Win2K Additional restrictions for anonymous connections policy (as described in the next question and answer).

Network access: Do not allow anonymous enumeration of SAM accounts controls the RestrictAnonymousSAM registry value, which also resides in the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa registry subkey. RestrictAnonymousSAM specifies whether anonymous connections can enumerate local user SAM accounts. By default, Windows 2003 and XP disable Network access: Do not allow anonymous enumeration of SAM accounts and shares and enable Network access: Do not allow anonymous enumeration of SAM accounts, which means anonymous connections can enumerate shares but can't list local user accounts. Anonymous enumeration of user accounts is one way attackers can obtain usernames for use in social engineering or for which they can try to guess the passwords. Anonymous enumeration of shares is less of a risk, but it does obviously provide an attacker a list of folders to try to access if he or she succeeds in logging on to the computer.

Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish