2.3.10.5 Configure 'Network access: Named Pipes that can be accessed anonymously' (DC only) - Network access: Named Pipes that can be accessed anonymously (DC only)

Information

This policy setting determines which communication sessions, or pipes, will have attributes and permissions that allow anonymous access.

The recommended state for this setting is: LSARPC, NETLOGON, SAMR and (when the legacy Computer Browser service is enabled) BROWSER.

Note: A Member Server that holds the Remote Desktop Services Role with Remote Desktop Licensing Role Service will require a special exception to this recommendation, to allow the HydraLSPipe and TermServLicensing Named Pipes to be accessed anonymously.

Rationale:

Limiting named pipes that can be accessed anonymously will reduce the attack surface of the system.

Impact:

Null session access over named pipes will be disabled unless they are included, and applications that rely on this feature or on unauthenticated access to named pipes will no longer function. The BROWSER named pipe may need to be added to this list if the Computer Browser service is needed for supporting legacy components. The Computer Browser service is disabled by default.

Solution

To establish the recommended configuration via GP, configure the following UI path:

Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Network access: Named Pipes that can be accessed anonymously

Default Value:

None.

See Also

https://workbench.cisecurity.org/files/4286

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-2(2)

Plugin: Windows

Control ID: eb8bc03e685b970f7be4c3e3bfe6773a297ee61b751735ffd9e8067c8abceb08