Microsoft has relied on anonymous connections to allow computers and services to establish open communications with other computers. These anonymous connections are not secure, however. Attackers exploit anonymous connections left open on Windows computers to access essential security-related information. With Group Policy Objects (GPOs), you can protect your Windows computers to restrict the anonymous connections.
What you are protecting
Once an attacker has made an anonymous connection to your computer, gaining access to much of the security-related information is easy. An attacker can gather the following information with an anonymous connection:
- List of users from your computer, including Active Directory
- List of groups from your computer, including Active Directory
- Security identifiers (SIDs) for user accounts
- User accounts for SIDs
- List of shares from your computer
- Account policies from your computer
- NetBIOS name from your computer
- Domain name associated with your computer
- List of domains that your domain trusts
Protection-level updates are here
To protect against anonymous connections and enumeration of essential security information, you should use Group Policy Objects. Microsoft changed the level of protection for the Windows 2000 and Windows XP/2003 environments.
To protect against anonymous connections in Windows 2000 computers, you should configure the following GPO setting:
- Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsAdditional Restrictions for Anonymous Connections
Ideally, you would configure this to "No access without explicit anonymous permissions." However, this might break some clients and applications that need to communicate with your Windows 2000 computers. After testing this setting, you might find it necessary to back the setting off to "Do not allow enumeration of SAM accounts or shares."
To protect your Windows XP and Server 2003 computers, go to the same node within a GPO, but configure the following GPO settings:
- Network access: Allow anonymous SID/Name translation. This protects against tools that can grab the SID based on a name or vice-versa. You should set this to "Disabled."
- Network access: Let Everyone permissions apply to anonymous users. This protects against an anonymous connection accessing all resources that the Everyone group is configured to access. You should set this to "Disabled."
- Network access: Do not allow anonymous enumeration of storage area management (SAM) accounts. This protects against enumerating the list of users and groups in the SAM directory (or Active Directory). You should set this to "Enabled."
- Network access: Do not allow anonymous enumeration of SAM accounts and shares. This protects against listing users and groups from the SAM directory, as well as the list of shares for the computer. You should set this to "Enabled."
Anonymous connections are very easy to make and they give an attacker a way to access too much information. You need to protect your computers in order to ensure a stable and safe environment. By using GPOs, you can protect your client and server computers, regardless of the operating system you are using. After you test and implement the protection of anonymous connections, you can move on to the next task: protecting your network.
Derek Melber manages http://www.auditingwindows.com, the first dedicated Web site for Windows auditing and security. Derek's new book series on "Auditing Windows Security" is now available at The IIA Bookstore. Online training is also available which coincides with the books, which you can find at http://www.auditlearning.org/home/. Derek provides customized training for auditors, security professionals, and network admins; e-mail Derek for more details. You can contact Derek Melber at firstname.lastname@example.org.