Information
This policy setting determines whether an anonymous user can request security identifier (SID) attributes for another user, or use a SID to obtain its corresponding user name.
The recommended state for this setting is: Disabled.
Rationale:
If this policy setting is enabled, a user with local access could use the well-known Administrator's SID to learn the real name of the built-in Administrator account, even if it has been renamed. That person could then use the account name to initiate a password guessing attack.
Solution
To establish the recommended configuration via GP, set the following UI path to Disabled:
Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Network access: Allow anonymous SID/Name translation
Impact:
None - this is the default behavior.
Default Value:
Disabled. (An anonymous user cannot request the SID attribute for another user.)
References:
1. CCE-34914-2