Tip

Checklist: Block anonymous access

If you followed my checklist on how to change Administrator and Guest account names to obscure those accounts from intruders, you know that intruders can also gain access to those accounts

    Requires Free Membership to View

by using a known security identifier (SID). So wouldn't changing the name be like hiding the key to the house under a rock by the door? Not if another step is taken.

While it's true that the Administrator account uses a known number in its SID, it's also true that a unique number identifying the computer comprises the other part of the SID. To find that information, an attacker must have anonymous access. Anonymous access is the ability to connect to a computer and obtain information without having an account and password. Once connected, an attacker may be able to list account names, access information that is not properly protected by file system permissions and so on.

To deduce the SID of the Administrator account, the attacker obtains the account list, translates the account into a SID, retrieves the computer part of the SID, adds the known Administrator account portion and then uses the deduced SID in a logon attack or to figure out the new name of the Administrator account. To foil this process, use the security options below, which block anonymous access and other types of attacks that use anonymous access.

You may download a printer-friendly version.

 Checklist: Block anonymous access
1. Disable the option "Network Access: Allow anonymous SID/name translation."
This option, once disabled, prevents anonymous SID/name translation. Combine this option with the one below to keep an attacker from using an anonymous connection to
deduce account names.
2. Enable the option "Network Access: Do not allow anonymous enumeration of SAM accounts."
When enabled, this option prevents the enumeration of the user account list via an anonymous connection. When both this and the above security options are used, you can
keep the changed name of the Administrator account hidden from an attacker using an anonymous connection.
3. Enable the option "Network Access: Do not allow anonymous enumeration of SAM accounts/shares."
When enabled, this option also prevents anonymous enumeration of shares. Shares offer opportunities for system connections and data theft. If shares are properly protected by
permissions, then anonymous access won't matter. If share permissions are not correct, or when they inadvertently offer access to an anonymous connection, you need to block
anonymous connection to stop data theft. This option comes in handy on systems like Windows 2000, which include the anonymous SID in the Everyone group, where the group
is given access permissions.
4. Disable the option "Network Access: Let Everyone permissions apply to anonymous users."
On Windows XP and Windows Server 2003 systems, anonymous users are excluded from the Everyone group and cannot gain access to resources given to that group. Keep this
option disabled to prevent access.
5. Enter the names of named pipes if necessary in option "Network Access: Named Pipes that can be accessed anonymously."
Named pipes are another way network connections can be made by client/server programs. In this scenario, one part of a program runs on one computer and another part
on another computer. Some legacy programs require anonymous access over these named pipes. If anonymous access is blocked, use this option to allow it where required.
6. Enter the name of shares if necessary in the option "Network Access: Shares that can be accessed anonymously."
Here again, some legacy applications may require anonymous access to shares. Instead of allowing anonymous access to all shares, enter the names of shares that require
anonymous access.

Windows Security Checklists offer you step-by-step advice for planning, setting up and hardening your Windows security infrastructure.
E-mail the editor
to suggest additional checklist topics.


More Checklists by Roberta Bragg

  • Three security mandates for any Windows environment
  • Set account options to limit systems access
  • Tighten default settings to prevent unauthorized access

  • ABOUT THE AUTHOR:   Go back to Checklists
    Roberta Bragg is author of "Hardening Windows systems" and a SearchWindowsSecurity.com resident expert. She is an MCSE, CISSP and Microsoft MVP, and a well-known information systems security consultant, columnist and speaker.

    Click to ask Roberta a question or purchase her book here. Also, if you have specific questions or comments about any of Roberta's checklists, click to e-mail her directly. Copyright 2004


    This was first published in March 2005

    There are Comments. Add yours.

     
    TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

    REGISTER or login:

    Forgot Password?
    By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
    Sort by: OldestNewest

    Forgot Password?

    No problem! Submit your e-mail address below. We'll send you an email containing your password.

    Your password has been sent to:

    Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.