Set and enforce strict file level and registry permissions
Go through your directories and verify that only specific groups have access to the information contained within them. Restrict anonymous users from accessing the registry. This can be done by a registry key:
HKLM\System\CurrentControlSet\Control\LSA\restrictanonymous=1
Or via a Group Policy:
Group Policy\Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Network access: Do not allow anonymous enumeration of SAM accounts and shares -> Enabled
HKLM\System\CurrentControlSet\Control\LSA\ restrictanonymoussam=1
Group Policy\Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Network access: Do not allow anonymous enumeration of SAM accounts-> Enabled
Default enable for Workstation, disable for Server.
Note
- In Windows XP, there is a new registry setting (EveryoneIncludesAnonymous) that controls whether permissions given to the built-in Everyone group apply to anonymous users. By default, permissions granted to the Everyone group do not apply to anonymous users in Windows XP, which therefore provides the same level of anonymous user restrictions as the RestrictAnonymous setting in previous Windows operating systems.
Reference:
Restrict Anonymous check
Published: December 16, 2009
Applies To: Forefront Client Security
The Restrict Anonymous SSA check determines whether the RestrictAnonymous registry setting is used to restrict anonymous connections on the scanned computer. The registry setting is at the following location:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\RestrictAnonymous
Anonymous users can list certain types of system information, including user names and details, account policies, and share names. The list of user names and share names could help potential attackers learn compromising information, such as:
- Who is an administrator.
- Which computers have weak account protection.
- Which computers share information with the network.
Users who want enhanced security can restrict this function so that anonymous users cannot access this information.
The RestrictAnonymous registry setting controls the level of enumeration that is granted to an anonymous user. RestrictAnonymous can be set to any of the following values:
- 0—None. Rely on default permissions.
- 1—Do not allow enumeration of Security Accounts Manager accounts and names.
- 2—No access without explicit anonymous permissions.
It is not recommended that you set RestrictAnonymous to 2 on domain controllers or on computers running Microsoft Windows Small Business Server 2003 (Windows SBS) server software unless they are in pure Windows 2000 Server environments and have been tested for application compatibility. In addition, client computers with RestrictAnonymous set to 2 should not take on the role of master browser.
In Windows XP, the EveryoneIncludesAnonymous registry setting controls whether permissions given to the built-in Everyone group apply to anonymous users. By default, permissions granted to the Everyone group do not apply to anonymous users in Windows XP, which therefore provides the same level of anonymous user restrictions as the RestrictAnonymous setting in previous Windows operating systems.
Resolutions for potentially unacceptable scores
Review the results message associated with the score.
It is recommended that you restrict anonymous access.
Scoring and results
Because of the existence of the EveryoneIncludesAnonymous registry setting in Windows XP, scoring for Windows XP and newer operating systems differs from scoring for Windows 2000 Server operating systems.
Scoring and results for Windows Vista and Windows XP
The following table shows how Client Security determines the score resulting from performing this check on computers running the Windows Vista™ or Windows XP operating system. It also shows the results message that appears in related reports. You can use the results message for each score to determine the recommended resolution.
| Score | Everyone group includes anonymous users | RestrictAnonymous setting | Results message |
| High | Yes | 0 | This computer is running with RestrictAnonymous = 0. This level allows basic enumeration of user accounts, account policies, and system information. Set RestrictAnonymous = 2 to ensure maximum security. |
|
| Yes | Doesn't exist | The RestrictAnonymous key is not set in your registry. This key should be present and set to a value greater than 0. |
|
| Yes | Not 0, 1, or 2 | Invalid values were detected for some anonymous access settings on this computer. The current setting on this computer is: RestrictAnonymous = Value. |
| Medium | Yes | 1 | This computer is running with RestrictAnonymous = 1. This level prevents basic enumeration of user accounts, account policies, and system information. Set RestrictAnonymous = 2 to ensure maximum security. |
| Low | Yes | 2 | This computer is properly restricting anonymous access. |
|
| No | Any setting | This computer is properly restricting anonymous access. |
Scoring and results for Windows 2000 Server
The following table shows how Client Security determines the score resulting from performing this check on a computer running Windows 2000 Server. It also shows the results message that appears in related reports. You can use the results message for each score to determine the recommended resolution.
| Score | RestrictAnonymous setting | RestrictAnonymous setting is missing | Results message |
| High | 0 | No | This computer is running with RestrictAnonymous = 0. This level allows basic enumeration of user accounts, account policies, and system information. Set RestrictAnonymous = 2 to ensure maximum security. |
|
| Not applicable | Yes | The RestrictAnonymous key is not set in your registry. This key should be present and set to a value greater than 0. |
|
| Not 0, 1, or 2 | No | Invalid values were detected for some anonymous access settings on this computer. The current setting on this computer is: RestrictAnonymous = Value. |
| Medium | 1 | No | This computer is running with RestrictAnonymous = 1. This level prevents basic enumeration of user accounts, account policies, and system information. Set RestrictAnonymous = 2 to ensure maximum security. |
| Low | 2 | No | This computer is properly restricting anonymous access. |
More information:
http://technet.microsoft.com/en-us/library/bb418944.aspx
No comments:
Post a Comment