Detections
Analytics

1.1.1.2.1.72 Configure 'Network access: Named Pipes that can be accessed anonymously'

Information

This policy setting determines which communication sessions, or pipes, will have attributes and permissions that allow anonymous access. Note: When you configure this setting you specify a list of one or more objects. The delimiter used when entering the list is a line feed or carriage return, that is, type the first object on the list, press the Enter button, type the next object, press Enter again, etc. The setting value is stored as a comma-delimited list in group policy security templates. It is also rendered as a comma-delimited list in Group Policy Editor's display pane and the Resultant Set of Policy console. It is recorded in the registry as a line-feed delimited list in a REG_MULTI_SZ value. You can restrict access over named pipes such as COMNAP and LOCATOR to help prevent unauthorized access to the network. The list of some of the default named pipes and their purpose is provided in the following list: Browser - Named pipe for the Computer Browser service. COMNAP - SNABase named pipe. Systems Network Architecture (SNA) is a collection of network protocols that were originally developed for IBM mainframe computers. COMNODE - SNA Server named pipe. EPMAPPER - End Point Mapper named pipe. LOCATOR - Remote Procedure Call Locator service named pipe. Lsarpc - Named pipe for the Local Security Authority Remote Procedure Call service. Netlogon - Named pipe for then NetLogon service. Samr - Named pipe for the Security Accounts Manager service. SPOOLSS - Named pipe for the Print Spooler service. SQL\QUERY - Default named pipe for SQL Server. Srvsvc - Named pipe for the Server service. TrkSvr - Distributed Link Tracking Server named pipe. TrkWks - Distributed Link Tracking Client named pipe. Wkssvc - Named pipe for the Workstation service.

Solution

Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization-

Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Network access- Named Pipes that can be accessed anonymously

Impact- This configuration will disable null session access over named pipes, and applications that rely on this feature or on unauthenticated access to named pipes will no longer function. For example, with Microsoft Commercial Internet System 1.0, the Internet Mail Service runs under the Inetinfo process. Inetinfo starts in the context of the System account. When Internet Mail Service needs to query the Microsoft SQL Server database, it uses the System account, which uses null credentials to access a SQL pipe on the computer that runs SQL Server. To avoid this problem, refer to the Microsoft Knowledge Base article How to access network files from IIS applications, which is located at http-//support.microsoft.com/default.aspx?scid=207671.

See Also

https://workbench.cisecurity.org/files/42

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-2(2), CCE|CCE-3711-9

Plugin: Windows

Control ID: 8a5a9622a54813c2e95f93f6241e9cfb66bb2ff712b711ce6a80e6ae748e556b