In this article we'll cover what is SAM (Security Accounts Manager) and its related policy in the Network Access domain "Do not allow anonymous enumeration of SAM accounts". The values, vulnerability, and security recommendations of this policy.
This blog post will cover:
Until Windows 2000, it was possible to bypass local authentication system by deleting the SAM file from the storage, which granted access to attackers to log in as any account without requiring a password.
Microsoft corrected this flaw in Windows XP, which shuts down the system when an attacker tries to delete the SAM file. But by using software utilities like an emulated virtual device, or a boot disk SAM file can be deleted.
"Do not allow anonymous enumeration of SAM accounts"
This policy controls the additional permissions that will be assigned to anonymous connections to the device. Anonymous users are allowed to perform certain activities by Windows, like enumerating names of domain accounts and network shares.
The best practice from the Center for Internet Security (CIS) standards for hardening and configuration to configure this policy is as "Enabled," this will restrict anonymous users to access the system either locally or on LAN.
When users that do not maintain reciprocal trust are to be given access by the administrator in a trusted domain this policy setting can be of convenience. When this policy setting is enabled, anonymous users will still have access to resources with permissions explicitly including the built-in group Anonymous Logon.
When this policy setting is set to enabled, anonymous users will not be allowed to enumerate domain account user names and network share names.
When this policy setting is set to disabled, administrator can no longer assign additional permissions for anonymous connections to the device.
This is the default value for this policy setting.
|Default Domain Policy
|Default Domain Controller Policy
|DC Effective Default Settings
Where is SAM stored
The SAM database file is stored within C:\Windows\System32\config. All of the data within the file is encrypted. The passwords hashes are stored in HKEY_LOCAL_MACHINE\SAM.
Potential vulnerability in this setting
An unauthorized user could anonymously list account names and use the information to perform social engineering attacks or attempt to guess passwords. (Social engineering attacks try to deceive users in some way to obtain passwords or some form of security information.)
Unauthorized User Access
The vulnerability in this policy setting is that anonymously an unauthorized user can list account names and shared resources and then will use that information to perform social-engineering attacks or tries to guess passwords.
Potential impact of vulnerability
It will be impossible to establish trusts with Windows NT 4.0-based domains. Also, client computers that run older versions of the Windows operating system such as Windows NT 3.51 and Windows 95 will experience problems when they try to use resources on the server.
Countermeasures for mitigating this vulnerability
Enabling the policy setting "Network access: Do not allow anonymous enumeration of SAM accounts and shares" is a remedy to overcome this vulnerability.
CalCom’s recommended value