Network access: Allow anonymous SID/Name translation This policy setting determines whether an anonymous user can request security identifier (SID) attributes for another user, or use a SID to obtain its corresponding user name. Disable this policy setting to prevent unauthenticated users from obtaining user names that are associated with their respective SIDs. Counter Measure: Configure the Network access: Allow anonymous SID/Name translation setting to Disabled. Potential Impact: Disabled is the default configuration for this policy setting on member computers; therefore it will have no impact on them. The default configuration for domain controllers is Enabled. If you disable this policy setting on domain controllers, legacy computers may be unable to communicate with Windows Server 2003-based domains. For example, the following computers may not work: * Windows NT 4.0-based Remote Access Service servers. * Microsoft SQL Servers that run on Windows NT 3.x-based or Windows NT 4.0-based computers. * Remote Access Service or Microsoft SQL servers that run on Windows 2000-based computers and are located in Windows NT 3.x domains or Windows NT 4.0 domains.

(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Network access: Allow anonymous SID/Name translation (2) REG: ### (3) WMI: root\rsop\computer RSOP_SecuritySettingBoolean Setting KeyName='LSAAnonymousNameLookup' and precedence=1