What is SID?
In a network each user, whether verified or not, is given a security identifier (SID), a virtual name tag. This unique identifier helps with managing users, giving administrators the ability to control on an individual level the rights and permissions of users, authentication and providing an overall level of security. A SID also hides private information of users such as the real names of the accounts, adding an additional layer of protection.
In essence this setting, setting enables or disables the ability of an anonymous user to request security identifier (SID) attributes for another user.
Allow anonymous SID/Name translation vulnerability
When this policy setting is activated, a locally accessed user might exploit the Administrator’s SID to uncover the true name of the built-in Administrator account, even if renamed. Subsequently, this individual could utilize the account name for launching a password guessing assault. Misuse of this policy setting is a common error that can cause data loss or problems with data access or security.
This information gathering can take the form of:
- Username Enumeration: By translating SIDs to usernames, attackers can identify valid usernames on the system. This can be used in brute-force password attacks, where attackers try to guess the password for each username.
- Identifying Privileged Accounts: Some SIDs are associated with privileged accounts (like administrators). Exposing these SIDs can tip off attackers to target these accounts with stronger attacks.
Resulting in the exploitation of weaknesses:
- Weak Password Attacks: Once attackers have a list of usernames (through SID translation), they can launch automated attacks that try common passwords against each username.
- Social Engineering: Knowing usernames can be used for social engineering attacks. Attackers might impersonate IT support or a trusted user to trick victims into revealing passwords or clicking on malicious links.
Potential impact
Disabled is the default configuration for Ensure ‘Network access: Allow anonymous SID/Name translation’ policy setting on member computers; therefore, it has no impact on them. The default configuration for domain controllers is Enabled. If you disable this policy setting on domain controllers, computers running versions of Windows earlier than Windows Server 2003 may not communicate with Windows Server 2003-based domains. For example, computers with the following configurations may not work:
- Windows NT 4.0-based Remote Access Service servers
- Servers that host Microsoft SQL Server® and run on Windows NT 3.x-based or Windows NT 4.0-based computers
- Servers that host Remote Access Service or Microsoft SQL Server that run on
- 2000-based computers and are located in Windows NT domains
Remediation
Disable the Network access: Allow anonymous SID/Name translation setting.
Possible Values
- Enabled
If this policy setting is enabled, a user might use the well-known Administrators SID to get the real name of the built-in Administrator account, even if the account has been renamed.
- Disabled
Prevents an anonymous user from requesting the SID attribute for another user.
- Not defined
Default values
The following table lists the actual and effective default values for this policy:
| Server type or GPO | Default value |
| Default Domain Policy | Not defined |
| Default Domain Controller Policy | Not defined |
| Stand-Alone Server Default Settings | Disable |
| DC Effective Default Settings | Enabled |
| Member Server Effective Default Settings | Disabled |
| Client Computer Effective Default Settings | Disabled |
Operating system version differences
The default value of this setting has changed between operating systems as follows:
- The default on domain controllers running Windows Server 2003 R2 or earlier was set to Enabled.
- The default on domain controllers running Windows Server 2008 or Windows Server 2008 R2 is set to Disabled
Where to find Allow anonymous SID/Name translation
To locate Anonymous SID/Name translation settings on a Local System:
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
To locate Anonymous SID/Name translation settings via Group Policy:
GPO_name\Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
Best practice
Disabling anonymous SID/Name translation is a security best practice that helps mitigate attacks that rely on information disclosure. It makes it harder for attackers to gather information needed to exploit existing vulnerabilities in your system.
However this is just one of many security settings which can leave a system vulnerable to exploits. It is a good idea to harden your system, ensuring it is better protected against threats and attackers.
