Re: Anonymous Enumeration of accounts and shares

From: greg (Goo_at_tuxiecomputing.com)
Date: 02/22/05 

Date: 22 Feb 2005 06:25:30 -0800

"Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message news:<#c7zUW4FFHA.392@TK2MSFTNGP14.phx.gbl>...
> By default Windows 2003 will only restrict access allow anonymous
> enumeration of sam accounts. You might also want to enable the security
> option for do not allow anonymous enumeration of sam accounts and shares in
> Domain Controller Security Policy. Also make sure that you are indeed using
> a null session. You could verify that by going to the domain controller and
> using Computer Management looking at shared folders/sessions to see how the
> IPC$ connection is being authenticated.
>
Hello Steve,

Thanks,

I already have the following in both domain controller policy and
doamin policy.
Allow Anonymous SID/Name translation: DISABLED
Do not allow anonymous enumeration of SAM accounts: ENABLED
Do not allow anonymous enumeration of SAM accounts/Shares : ENABLED
Let everyone permissions apply to anonymous users: DISABLED

Which is why I cant understand what is happening here.

> While restricting access for anonymous access to sam/shares makes sense when
> it can be done it is part of security through obscurity. A properly
> configured firewall will not allow users from untrusted networks to use null
> sessions to enumerate user accounts/shares. Ultimately you need to rely on
> enforcing strong password policy in the network, share/ntfs permissions,
> group membership, user rights, the use of auditing, etc. to protect your
> recourses.

I could not agree more, Group policy protects all the workstations,
but the DC is a potential source of failure here. Teh firewall can be
tightened to prevent this happening. SP1 for 2003 is supposed to
implement the WinXP SP/2 firewall so we already have a rule set that
we can apply to the DC's then,

Thanks for your comments,
Dave.

Relevant Pages

  • Re: Blocking port scans on local network
    ... You can implement enumeration of SAM accounts and shares with probably no ... on domain controllers via Domain Controller Security Policy depending of ... domain computer that has a "require" ipsec policy assigned to it. ... between domain computers and domain controllers as the domain controllers ...
    (microsoft.public.win2000.security)
  • Re: Anonymous Enumeration of accounts and shares
    ... enumeration of sam accounts. ... Domain Controller Security Policy. ...
    (microsoft.public.windows.server.networking)
  • RE: Possible compromise of Windows Server 2003 security risk & unknown
    ... enumeration of SAM accounts" and enable " Do not allow anonymous enumeration ... of SAM accounts and share" this would prevent some brute force attacks. ... > I wanted to find out if anybody is aware of how a Windows Server 2003 ... > If anybody could advise of this, or recommend any additional security checks ...
    (microsoft.public.windows.server.networking)
  • Re: Security Analysis (was Re: Bang for the buck for startup)
    ... > When you've completed this enumeration, you've got a list, with two ... > have very roughly similar security threat profiles. ... an exhaustive list of "interesting" threat categories. ... > have people tracking threat reporting lists looking for new issues ...
    (Security-Basics)
  • Re: Disable anonymous enumeration of SAM on a domain ?
    ... when you modify security settings and user rights assignments ... BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx ... I would like to disable the anonymous enumeration of SAM accounts from ...
    (microsoft.public.windows.server.active_directory)