Question on - Network Access: Do not allow anonymous enumeration of SAM accounts and shares

[Spin]

Gurus,

How much of a security risk are these Windows security settings pose if they
are allowed? I am not looking for a security exposition, just a few quick
thoughts?

Network Access: Allow anonymous SID/Name translation
Network Access: Do not allow anonymous enumeration of SAM accounts
Network Access: Do not allow anonymous enumeration of SAM accounts and
shares

--
Spin

 

[Roger Abell [MVP]]

Only you can assess risk based on context of the machines.
Those settings only very rarely need to be set to allow these
things to anonymous. All your accounts can do those things
regardless of the settings.
So, based on context of machines you need to answer:
What risk is posed by allowing anyone that can connect via
the network the ability to discover my defined shares and
principals' (accounts, groups, joined computer) names, and
even the account and group SIDs that would not change when
these are renamed (such as done during response to penetration).
If your machines are not networked the risk is minimal, while
if live and naked on the internet then you would be needlessly
providing much info about your system (shares - where to
attempt logins distributed across multiple security event logs
principals - what names to use group - which are admins etc.)
to anyone anywhere.
Roger


"Spin" <Spin@invalid.com> wrote in message
news:65k5gvF2efhc2U1@mid.individual.net...
> Gurus,
>
> How much of a security risk are these Windows security settings pose if
> they are allowed? I am not looking for a security exposition, just a few
> quick thoughts?
>
> Network Access: Allow anonymous SID/Name translation
> Network Access: Do not allow anonymous enumeration of SAM accounts
> Network Access: Do not allow anonymous enumeration of SAM accounts and
> shares
>
> --
> Spin
>
>
>
>
>
>
>