Access Denied: Understanding the Anonymous Enumeration Policies
Get answers to your security-related Windows 2003, XP, and Win2K questions
November 21, 2004
What's the difference between the Network access: Do not allow anonymous enumeration of SAM accounts policy and the Network access: Do not allow anonymous enumeration of SAM accounts and shares policy that I see in Group Policy Objects (GPOs) that appear under Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity Options when I'm logged on at a Windows Server 2003 or Windows XP computer?
Welcome to the confusing world of Microsoft naming techniques. The Network access: Do not allow anonymous enumeration of SAM accounts and shares policy should be Network access: Do not allow anonymous enumeration of shares. Network access: Do not allow anonymous enumeration of SAM accounts and shares controls the RestrictAnonymous registry value in the HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlLsa registry subkey. On Windows 2003 and XP systems, RestrictAnonymous simply controls whether anonymous connections (aka null sessions) can obtain a list of shared folders from the computer. RestrictAnonymous also exists on Windows 2000 Server and is set by the Win2K Additional restrictions for anonymous connections policy (as described in the next question and answer).
Network access: Do not allow anonymous enumeration of SAM accounts controls the RestrictAnonymousSAM registry value, which also resides in the HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlLsa registry subkey. RestrictAnonymousSAM specifies whether anonymous connections can enumerate local user SAM accounts. By default, Windows 2003 and XP disable Network access: Do not allow anonymous enumeration of SAM accounts and shares and enable Network access: Do not allow anonymous enumeration of SAM accounts, which means anonymous connections can enumerate shares but can't list local user accounts. Anonymous enumeration of user accounts is one way attackers can obtain usernames for use in social engineering or for which they can try to guess the passwords. Anonymous enumeration of shares is less of a risk, but it does obviously provide an attacker a list of folders to try to access if he or she succeeds in logging on to the computer.
About the Author
You May Also Like