Digg This!     StumbleUpon     Del.icio.us

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Network intrusion detection and prevention and malware removal 20 days to a more secure enterprise Improvements to offline file synchronization in Windows 7 Underlying causes of inconsistent patch management Windows security tools for the busy desktop administrator Check IT List: Five steps for rootkit detection Top Windows client security tools for end users Hacking Exposed Windows: Windows security features and tools Tools for virus removal and detection Windows security testing: Five tips for the summer Buffer overflows can be prevented by GS cookies Microsoft Windows XP Pro Guide to converting from Windows XP to Windows 7 Top 5 registry keys for Windows XP Manage the desktop image lifecycle to limit work, ensure security Secure Windows XP before a Windows 7 upgrade Microsoft's August patches run the gamut Hold on to Windows XP at your peril XP stragglers blame hardware costs, new features Your questions answered: The Windows 7 upgrade quandary Windows Vista users get little pricing relief on Windows 7 Vista shops eye quick path to Windows 7, XP shops likely to resist

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Error messages for Windows XP Pro  (SearchEnterpriseDesktop.com) XP key changer  (SearchEnterpriseDesktop.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

umn width settings -->



[IMAGE]





 Checklist: Block anonymous access

[IMAGE]1. Disable the option "Network Access: Allow anonymous SID/name translation."

[IMAGE]This option, once disabled, prevents anonymous SID/name translation. Combine this option with the one below to keep an attacker from using an anonymous connection to

[IMAGE]deduce account names.

[IMAGE]

[IMAGE]2. Enable the option "Network Access: Do not allow anonymous enumeration of SAM accounts."

[IMAGE]When enabled, this option prevents the enumeration of the user account list via an anonymous connection. When both this and the above security options are used, you can

[IMAGE]keep the changed name of the Administrator account hidden from an attacker using an anonymous connection.

[IMAGE]

[IMAGE]3. Enable the option "Network Access: Do not allow anonymous enumeration of SAM accounts/shares."

[IMAGE]When enabled, this option also prevents anonymous enumeration of shares. Shares offer opportunities for system connections and data theft. If shares are properly protected by

[IMAGE]permissions, then anonymous access won't matter. If share permissions are not correct, or when they inadvertently offer access to an anonymous connection, you need to block

[IMAGE]anonymous connection to stop data theft. This option comes in handy on systems like Windows 2000, which include the anonymous SID in the Everyone group, where the group

[IMAGE]is given access permissions.

[IMAGE]

[IMAGE]4. Disable the option "Network Access: Let Everyone permissions apply to anonymous users."

[IMAGE]On Windows XP and Windows Server 2003 systems, anonymous users are excluded from the Everyone group and cannot gain access to resources given to that group. Keep this

[IMAGE]option disabled to prevent access.

[IMAGE]

[IMAGE]5. Enter the names of named pipes if necessary in option "Network Access: Named Pipes that can be accessed anonymously."

[IMAGE]Named pipes are another way network connections can be made by client/server programs. In this scenario, one part of a program runs on one computer and another part

[IMAGE]on another computer. Some legacy programs require anonymous access over these named pipes. If anonymous access is blocked, use this option to allow it where required.

[IMAGE]

[IMAGE]6. Enter the name of shares if necessary in the option "Network Access: Shares that can be accessed anonymously."

[IMAGE]Here again, some legacy applications may require anonymous access to shares. Instead of allowing anonymous access to all shares, enter the names of shares that require

[IMAGE]anonymous access.

[IMAGE]

Windows Security Checklists offer you step-by-step advice for planning, setting up and hardening your Windows security infrastructure.
E-mail the editor to suggest additional checklist topics.

ABOUT THE AUTHOR:   Go back to Checklists

[IMAGE]Roberta Bragg is author of "Hardening Windows systems" and a SearchWindowsSecurity.com resident expert. She is an MCSE, CISSP and Microsoft MVP, and a well-known information systems security consultant, columnist and speaker.

Click to ask Roberta a question or purchase her book here. Also, if you have specific questions or comments about any of Roberta's checklists, click to e-mail her directly. Copyright 2004

Rate this Tip To rate tips, you must be a member of SearchEnterpriseDesktop.com. Register now to start rating these tips. Log in if you are already a member. DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.