2.3.10.6 (L1) Configure 'Network access: Named Pipes that can be accessed anonymously' (DC only)

Information

This policy setting determines which communication sessions, or pipes, will have attributes and permissions that allow anonymous access.

The recommended state for this setting is: LSARPC, NETLOGON, SAMR and (when the legacy

Computer Browser

service is enabled) BROWSER

Note: A Member Server that holds the

Remote Desktop Services

Role with

Remote Desktop Licensing

Role Service will require a special exception to this recommendation, to allow the HydraLSPipe and TermServLicensing Named Pipes to be accessed anonymously.

Limiting named pipes that can be accessed anonymously will reduce the attack surface of the system.

Solution

To establish the recommended configuration via GP, configure the following UI path:

Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Network access: Named Pipes that can be accessed anonymously

Impact:

Null session access over named pipes will be disabled unless they are included, and applications that rely on this feature or on unauthenticated access to named pipes will no longer function. The BROWSER named pipe may need to be added to this list if the

Computer Browser

service is needed for supporting legacy components. The

Computer Browser

service is disabled by default.

See Also

https://workbench.cisecurity.org/benchmarks/17096

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-2(2)

Plugin: Windows

Control ID: fac360c641e47b5b734ee6c8c74c000bd08f3e31528f2fe5cea666b125dc4126