2.3.10.1 Ensure 'Network access: Allow anonymous SID/Name translation' is set to 'Disabled'

Information

This policy setting determines whether an anonymous user can request security identifier (SID) attributes for another user, or use a SID to obtain its corresponding user name.

The recommended state for this setting is: Disabled.

Rationale:

If this policy setting is enabled, a user with local access could use the well-known Administrator's SID to learn the real name of the built-in Administrator account, even if it has been renamed. That person could then use the account name to initiate a password guessing attack.

Solution

To establish the recommended configuration via GP, set the following UI path to Disabled:

Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Network access: Allow anonymous SID/Name translation

Impact:

None - this is the default behavior.

Default Value:

Disabled. (An anonymous user cannot request the SID attribute for another user.)

See Also

https://workbench.cisecurity.org/files/2700

Item Details

Category: ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION

References: 800-53|AC-6(10), 800-53|IA-2(2), CSCv6|13

Plugin: Windows

Control ID: b5f0107cc3b5141a0612fb827d1d90573b6d56311f514743208245eaa23cf785