Checklist: Block anonymous access

While it's true that the Administrator account uses a known number in its SID, it's also true that a unique number identifying the computer comprises the other part of the SID. To find that information, an attacker must have anonymous access. Anonymous access is the ability to connect to a computer and obtain information without having an account and password. Once connected, an attacker may be able to list account names, access information that is not properly protected by file system permissions and so on.

To deduce the SID of the Administrator account, the attacker obtains the account list, translates the account into a SID, retrieves the computer part of the SID, adds the known Administrator account portion and then uses the deduced SID in a logon attack or to figure out the new name of the Administrator account. To foil this process, use the security options below, which block anonymous access and other types of attacks that use anonymous access.

You may download a printer-friendly version.

Checklist: Block anonymous access

1. Disable the option "Network Access: Allow anonymous SID/name translation."

This option, once disabled, prevents anonymous SID/name translation. Combine this option with the one below to keep an attacker from using an anonymous connection to

deduce account names.

2. Enable the option "Network Access: Do not allow anonymous enumeration of SAM accounts."

When enabled, this option prevents the enumeration of the user account list via an anonymous connection. When both this and the above security options are used, you can

keep the changed name of the Administrator account hidden from an attacker using an anonymous connection.

3. Enable the option "Network Access: Do not allow anonymous enumeration of SAM accounts/shares."

When enabled, this option also prevents anonymous enumeration of shares. Shares offer opportunities for system connections and data theft. If shares are properly protected by

permissions, then anonymous access won't matter. If share permissions are not correct, or when they inadvertently offer access to an anonymous connection, you need to block

anonymous connection to stop data theft. This option comes in handy on systems like Windows 2000, which include the anonymous SID in the Everyone group, where the group

is given access permissions.

4. Disable the option "Network Access: Let Everyone permissions apply to anonymous users."

On Windows XP and Windows Server 2003 systems, anonymous users are excluded from the Everyone group and cannot gain access to resources given to that group. Keep this

option disabled to prevent access.

5. Enter the names of named pipes if necessary in option "Network Access: Named Pipes that can be accessed anonymously."

Named pipes are another way network connections can be made by client/server programs. In this scenario, one part of a program runs on one computer and another part

on another computer. Some legacy programs require anonymous access over these named pipes. If anonymous access is blocked, use this option to allow it where required.

6. Enter the name of shares if necessary in the option "Network Access: Shares that can be accessed anonymously."

Here again, some legacy applications may require anonymous access to shares. Instead of allowing anonymous access to all shares, enter the names of shares that require

anonymous access.

Windows Security Checklists offer you step-by-step advice for planning, setting up and hardening your Windows security infrastructure.
E-mail the editor to suggest additional checklist topics.

ABOUT THE AUTHOR:   Go back to Checklists

Roberta Bragg is author of "Hardening Windows systems" and a SearchWindowsSecurity.com resident expert. She is an MCSE, CISSP and Microsoft MVP, and a well-known information systems security consultant, columnist and speaker. Click to ask Roberta a question or purchase her book here. Also, if you have specific questions or comments about any of Roberta's checklists, click to e-mail her directly. Copyright 2004

Rate this Tip To rate tips, you must be a member of SearchEnterpriseDesktop.com. Register now to start rating these tips. Log in if you are already a member. Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Network intrusion detection and prevention and malware removal Underlying causes of inconsistent patch management Windows security tools for the busy desktop administrator Check IT List: Five steps for rootkit detection Top Windows client security tools for end users Hacking Exposed Windows: Windows security features and tools Tools for virus removal and detection Windows security testing: Five tips for the summer Buffer overflows can be prevented by GS cookies Windows Resource Protection (WRP) protects critical system resources How to secure BitLocker configurations Microsoft Windows XP Pro Guide to converting from Windows XP to Windows 7 Top 5 registry keys for Windows XP Manage the desktop image lifecycle to limit work, ensure security Secure Windows XP before a Windows 7 upgrade Microsoft's August patches run the gamut Hold on to Windows XP at your peril XP stragglers blame hardware costs, new features Your questions answered: The Windows 7 upgrade quandary Windows Vista users get little pricing relief on Windows 7 Vista shops eye quick path to Windows 7, XP shops likely to resist RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Error messages for Windows XP Pro  (SearchEnterpriseDesktop.com) XP key changer  (SearchEnterpriseDesktop.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.