Tuesday, December 1, 2009

avoid anonymous connections using Group Policy Objects

To protect your Windows XP and Server 2003 computers, go to the same node within a GPO, but configure the following GPO settings: Microsoft has relied on anonymous connections to allow computers and services to establish open communications with other computers. These anonymous connections are not secure, however. Attackers exploit anonymous connections left open on Windows computers to access essential security-related information. With Group Policy Objects (GPOs), you can protect your Windows computers to restrict the anonymous connections.

What you are protecting

Once an attacker has made an anonymous connection to your computer, gaining access to much of the security-related information is easy. An attacker can gather the following information with an anonymous connection:

  • List of users from your computer, including Active Directory
  • List of groups from your computer, including Active Directory
  • Security identifiers (SIDs) for user accounts
  • User accounts for SIDs
  • List of shares from your computer
  • Account policies from your computer
  • NetBIOS name from your computer
  • Domain name associated with your computer
  • List of domains that your domain trusts

Protection-level updates are here

To protect against anonymous connections and enumeration of essential security information, you should use Group Policy Objects. Microsoft changed the level of protection for the Windows 2000 and Windows XP/2003 environments.

  • Network access: Allow anonymous SID/Name translation. This protects against tools that can grab the SID based on a name or vice-versa. You should set this to "Disabled."
  • Network access: Let Everyone permissions apply to anonymous users. This protects against an anonymous connection accessing all resources that the Everyone group is configured to access. You should set this to "Disabled."
  • Network access: Do not allow anonymous enumeration of storage area management (SAM) accounts. This protects against enumerating the list of users and groups in the SAM directory (or Active Directory). You should set this to "Enabled."
  • Network access: Do not allow anonymous enumeration of SAM accounts and shares. This protects against listing users and groups from the SAM directory, as well as the list of shares for the computer. You should set this to "Enabled."

No comments: