Network access: Do not allow anonymous enumeration of SAM accounts

Information

Network access: Do not allow anonymous enumeration of SAM accounts

This security setting determines what additional permissions will be granted for anonymous connections to the computer.

Windows allows anonymous users to perform certain activities, such as enumerating the names of domain accounts and network shares. This is convenient, for example, when an administrator wants to grant access to users in a trusted domain that does not maintain a reciprocal trust.

This security option allows additional restrictions to be placed on anonymous connections as follows:

Enabled: Do not allow enumeration of SAM accounts. This option replaces Everyone with Authenticated Users in the security permissions for resources.
Disabled: No additional restrictions. Rely on default permissions.

Default on workstations: Enabled.
Default on server:Disabled.

Important

This policy has no impact on domain controllers.

Solution

Policy Path: Security Options
Policy Setting Name: Network access: Do not allow anonymous enumeration of SAM accounts

See Also

https://techcommunity.microsoft.com/t5/microsoft-security-baselines/security-baseline-final-windows-10-and-windows-server-version/ba-p/1543631

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-6(10), CSCv6|16

Plugin: Windows

Control ID: 064513f42799d26bd5ab90e53b37cf8cf6392f33103183d187bba66de37a8b09