Checklist: Block anonymous access

You can change Windows account names to obscure them from attackers, but account SIDs can still be obtained using anonymous access. Foil intruders with this checklist.

If you followed my checklist on how to change Administrator and Guest account names to obscure those accounts from intruders, you know that intruders can also gain access to those accounts by using a known security identifier (SID). So wouldn't changing the name be like hiding the key to the house under a rock by the door? Not if another step is taken.

While it's true that the Administrator account uses a known number in its SID, it's also true that a unique number

identifying the computer comprises the other part of the SID. To find that information, an attacker must have anonymous access. Anonymous access is the ability to connect to a computer and obtain information without having an account and password. Once connected, an attacker may be able to list account names, access information that is not properly protected by file system permissions and so on.

To deduce the SID of the Administrator account, the attacker obtains the account list, translates the account into a SID, retrieves the computer part of the SID, adds the known Administrator account portion and then uses the deduced SID in a logon attack or to figure out the new name of the Administrator account. To foil this process, use the security options below, which block anonymous access and other types of attacks that use anonymous access.

You may download a printer-friendly version.

 Checklist: Block anonymous access
1. Disable the option "Network Access: Allow anonymous SID/name translation."
This option, once disabled, prevents anonymous SID/name translation. Combine this option with the one below to keep an attacker from using an anonymous connection to
deduce account names.
2. Enable the option "Network Access: Do not allow anonymous enumeration of SAM accounts."
When enabled, this option prevents the enumeration of the user account list via an anonymous connection. When both this and the above security options are used, you can
keep the changed name of the Administrator account hidden from an attacker using an anonymous connection.
3. Enable the option "Network Access: Do not allow anonymous enumeration of SAM accounts/shares."
When enabled, this option also prevents anonymous enumeration of shares. Shares offer opportunities for system connections and data theft. If shares are properly protected by
permissions, then anonymous access won't matter. If share permissions are not correct, or when they inadvertently offer access to an anonymous connection, you need to block
anonymous connection to stop data theft. This option comes in handy on systems like Windows 2000, which include the anonymous SID in the Everyone group, where the group
is given access permissions.
4. Disable the option "Network Access: Let Everyone permissions apply to anonymous users."
On Windows XP and Windows Server 2003 systems, anonymous users are excluded from the Everyone group and cannot gain access to resources given to that group. Keep this
option disabled to prevent access.
5. Enter the names of named pipes if necessary in option "Network Access: Named Pipes that can be accessed anonymously."
Named pipes are another way network connections can be made by client/server programs. In this scenario, one part of a program runs on one computer and another part
on another computer. Some legacy programs require anonymous access over these named pipes. If anonymous access is blocked, use this option to allow it where required.
6. Enter the name of shares if necessary in the option "Network Access: Shares that can be accessed anonymously."
Here again, some legacy applications may require anonymous access to shares. Instead of allowing anonymous access to all shares, enter the names of shares that require
anonymous access.

Windows Security Checklists offer you step-by-step advice for planning, setting up and hardening your Windows security infrastructure.
E-mail the editor
to suggest additional checklist topics.


More Checklists by Roberta Bragg

  • Three security mandates for any Windows environment
  • Set account options to limit systems access
  • Tighten default settings to prevent unauthorized access

  • ABOUT THE AUTHOR:   Go back to Checklists
    Roberta Bragg is author of "Hardening Windows systems" and a SearchWindowsSecurity.com resident expert. She is an MCSE, CISSP and Microsoft MVP, and a well-known information systems security consultant, columnist and speaker.

    Click to ask Roberta a question or purchase her book here. Also, if you have specific questions or comments about any of Roberta's checklists, click to e-mail her directly. Copyright 2004


    This was first published in March 2005

    Dig deeper on Windows Server and Network Security

    Pro+

    Features

    Enjoy the benefits of Pro+ membership, learn more and join.

    0 comments

    Oldest 

    Forgot Password?

    No problem! Submit your e-mail address below. We'll send you an email containing your password.

    Your password has been sent to:

    SearchServerVirtualization

    SearchCloudComputing

    SearchExchange

    SearchSQLServer

    SearchWinIT

    SearchEnterpriseDesktop

    SearchVirtualDesktop

    Close