Protecting against anonymous connections using GPOs
by Derek Melber, Contributor
03.22.2005
Rating: --- (out of 5)
|
Microsoft has relied on anonymous connections to allow computers and services to establish open communications with other computers. These anonymous connections are not secure, however. Attackers exploit anonymous connections left open on Windows computers to access essential security-related information. With Group Policy Objects (GPOs), you can protect your Windows computers to restrict the anonymous connections.
What you are protecting
Once an attacker has made an anonymous connection to your computer, gaining access to much of the security-related information is easy. An attacker can gather the following information with an anonymous connection:
Protection-level updates are here
To protect against anonymous connections and enumeration of essential security information, you should use Group Policy Objects. Microsoft changed the level of protection for the Windows 2000 and Windows XP/2003 environments.
To protect against anonymous connections in Windows 2000 computers, you should configure the following GPO setting:
Ideally, you would configure this to "No access without explicit anonymous permissions." However, this might break some clients and applications that need to communicate with your Windows
To continue reading for free, register below or login
To read more you must become a member of SearchEnterpriseDesktop.com
2000 computers. After testing this setting, you might find it necessary to back the setting off to "Do not allow enumeration of SAM accounts or shares."
To protect your Windows XP and Server 2003 computers, go to the same node within a GPO, but configure the following GPO settings:
Summary
Anonymous connections are very easy to make and they give an attacker a way to access too much information. You need to protect your computers in order to ensure a stable and safe environment. By using GPOs, you can protect your client and server computers, regardless of the operating system you are using. After you test and implement the protection of anonymous connections, you can move on to the next task: protecting your network.
Derek Melber manages
http://www.auditingwindows.com, the first dedicated Web site for Windows auditing and security. Derek's new book series on "Auditing Windows Security" is now available at
The IIA Bookstore. Online training is also available which coincides with the books, which you can find at http://www.auditlearning.org/home/. Derek provides customized training for auditors, security professionals, and network admins; e-mail Derek for more details. You can contact Derek Melber at derekm@braincore.net.
|
|
|
|
|
|
