Network access: Do not allow anonymous enumeration of SAM accountsID: oval:gov.nist.usgcb.windowsseven:def:86 | Date: (C)2012-04-13 (M)2023-07-14 |
Class: COMPLIANCE | Family: windows |
This security setting determines what additional permissions will be granted for anonymous connections to the computer.
Windows allows anonymous users to perform certain activities, such as enumerating the names of domain accounts and network shares. This is convenient, for example, when an administrator wants to grant access to users in a trusted domain that does not maintain a reciprocal trust.
This security option allows additional restrictions to be placed on anonymous connections as follows:
Enabled: Do not allow enumeration of SAM accounts. This option replaces Everyone with Authenticated Users in the security permissions for resources.
Disabled: No additional restrictions. Rely on default permissions.
Default on workstations: Enabled.
Default on server: Disabled.
Important
This policy has no impact on domain controllers.
Fix:
(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Network access: Do not allow anonymous enumeration of SAM accounts
(2) REG: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa!RestrictAnonymousSAM
Platform: |
Microsoft Windows 7 |