Protecting against anonymous connections using Group Policy Objects

Microsoft has relied on anonymous connections to allow computers and services to establish open communications with other computers. These anonymous connections are not secure, however. Attackers exploit anonymous connections left open on Windows computers to access essential security-related information. With Group Policy Objects (GPOs), you can protect your Windows computers to restrict the anonymous connections.

What you are protecting

Once an attacker has made an anonymous connection to your computer, gaining access to much of the security-related information is easy. An attacker can gather the following information with an anonymous connection:

  • List of users from your computer, including Active Directory
  • List of groups from your computer, including Active Directory
  • Security identifiers (SIDs) for user accounts
  • User accounts for SIDs
  • List of shares from your computer
  • Account policies from your computer
  • NetBIOS name from your computer
  • Domain name associated with your computer
  • List of domains that your domain trusts

Protection-level updates are here

To protect against anonymous connections and enumeration of essential security information, you should use Group Policy

Requires Free Membership to View

Objects. Microsoft changed the level of protection for the Windows 2000 and Windows XP/2003 environments.

To protect against anonymous connections in Windows 2000 computers, you should configure the following GPO setting:

  • Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsAdditional Restrictions for Anonymous Connections

Ideally, you would configure this to "No access without explicit anonymous permissions." However, this might break some clients and applications that need to communicate with your Windows 2000 computers. After testing this setting, you might find it necessary to back the setting off to "Do not allow enumeration of SAM accounts or shares."

To protect your Windows XP and Server 2003 computers, go to the same node within a GPO, but configure the following GPO settings:

  • Network access: Allow anonymous SID/Name translation. This protects against tools that can grab the SID based on a name or vice-versa. You should set this to "Disabled."
  • Network access: Let Everyone permissions apply to anonymous users. This protects against an anonymous connection accessing all resources that the Everyone group is configured to access. You should set this to "Disabled."
  • Network access: Do not allow anonymous enumeration of storage area management (SAM) accounts. This protects against enumerating the list of users and groups in the SAM directory (or Active Directory). You should set this to "Enabled."
  • Network access: Do not allow anonymous enumeration of SAM accounts and shares. This protects against listing users and groups from the SAM directory, as well as the list of shares for the computer. You should set this to "Enabled."

Anonymous connections are very easy to make and they give an attacker a way to access too much information. You need to protect your computers in order to ensure a stable and safe environment. By using GPOs, you can protect your client and server computers, regardless of the operating system you are using. After you test and implement the protection of anonymous connections, you can move on to the next task: protecting your network.

Derek Melber manages http://www.auditingwindows.com, the first dedicated Web site for Windows auditing and security. Derek's new book series on "Auditing Windows Security" is now available at The IIA Bookstore. Online training is also available which coincides with the books, which you can find at http://www.auditlearning.org/home/. Derek provides customized training for auditors, security professionals, and network admins; e-mail Derek for more details. You can contact Derek Melber at derekm@braincore.net.

This was first published in March 2005

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.