|
Posted by Roger Abell [MVP] on April 10, 2008, 12:44 am
If you were Registered and logged in, you could reply and use other advanced thread options
Only you can assess risk based on context of the machines.
Those settings only very rarely need to be set to allow these
things to anonymous. All your accounts can do those things
regardless of the settings.
So, based on context of machines you need to answer:
What risk is posed by allowing anyone that can connect via
the network the ability to discover my defined shares and
principals' (accounts, groups, joined computer) names, and
even the account and group SIDs that would not change when
these are renamed (such as done during response to penetration).
If your machines are not networked the risk is minimal, while
if live and naked on the internet then you would be needlessly
providing much info about your system (shares - where to
attempt logins distributed across multiple security event logs;
principals - what names to use; group - which are admins; etc.)
to anyone anywhere.
Roger
> Gurus,
>
> How much of a security risk are these Windows security settings pose if
> they are allowed? I am not looking for a security exposition, just a few
> quick thoughts?
>
> Network Access: Allow anonymous SID/Name translation
> Network Access: Do not allow anonymous enumeration of SAM accounts
> Network Access: Do not allow anonymous enumeration of SAM accounts and
> shares
>
> --
> Spin
>
>
>
>
>
>
>
| 
XML site map