2.3.10.4 Ensure 'Network access: Let Everyone permissions apply to anonymous users' is set to 'Disabled' - Disabled

Information

This policy setting determines what additional permissions are assigned for anonymous connections to the computer.

The recommended state for this setting is: Disabled.

Rationale:

An unauthorized user could anonymously list account names and shared resources and use the information to attempt to guess passwords, perform social engineering attacks, or launch DoS attacks.

Impact:

None - this is the default behavior.

Solution

To establish the recommended configuration via GP, set the following UI path to Disabled:

Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Network access: Let Everyone permissions apply to anonymous users

Default Value:

Disabled. (Anonymous users can only access those resources for which the built-in group ANONYMOUS LOGON has been explicitly given permission.)

See Also

https://workbench.cisecurity.org/files/4286