Do not allow anonymous enumeration of SAM accounts

What is anonymous enumeration of SAM?

The two policy settings in the CIS Benchmarks control the ability of anonymous users to enumerate the accounts in the Security Accounts Manager (SAM). By enabling the policy settings, users with anonymous connections will not be able to enumerate domain account user names on the systems in your environment.

Until Windows 2000, it was possible to bypass local authentication system by deleting the SAM file from the storage, which granted access to attackers to log in as any account without requiring a password.

Microsoft corrected this flaw in Windows XP, which shuts down the system when an attacker tries to delete the SAM file. But by using software utilities like an emulated virtual device, or a boot disk SAM file can be deleted.

Do not allow anonymous enumeration of SAM accounts

This policy controls the additional permissions that will be assigned to anonymous connections to the device. Anonymous users are allowed to perform certain activities by Windows, like enumerating names of domain accounts and network shares.

Automating server hardening according to the Center for Internet Security (CIS) standards offers significant benefits. By setting the policy to “Enabled,” as recommended, the system automatically restricts anonymous users from accessing it, both locally and over the LAN. This ensures consistent and robust security measures, reduces the risk of human error, and saves time by streamlining the configuration process. Ultimately, automation helps maintain a secure and compliant environment effortlessly.

When this policy setting is enabled, anonymous users will still have access to resources with permissions explicitly including the built-in group Anonymous Logon.

Configure Do not allow anonymous enumeration of SAM accounts

To configure via Group Policy, set the following UI path to Enabled:

Do not allow anonymous enumeration of SAM accounts and shares

This policy setting controls the ability of anonymous users to enumerate SAM accounts as well as shares. If you enable this policy setting, anonymous users will not be able to enumerate domain account user names and network share names on the systems in your environment.

The rationale to enable the setting is that is prevents an unauthorized user to anonymously list account names and shared resources and use the information to attempt to guess passwords or perform social engineering attacks.

Configure anonymous enumeration of shares

To configure via Group Policy, set the following UI path to Enabled:

Possible values for configuration anonymous enumeration of SAM

• Enabled
• Disabled

The administrator cannot assign any additional permissions for anonymous connections to the device. Anonymous connections will rely solely on the default permissions. However, an unauthorized user could anonymously list account names and use the information to attempt to guess passwords or perform social-engineering attacks.

Where is SAM stored

The SAM database file is stored within C:\Windows\System32\config. All of the data within the file is encrypted. The passwords hashes are stored in HKEY_LOCAL_MACHINE\SAM.

Potential impact of vulnerability

It will be impossible to establish trusts with Windows NT 4.0-based domains. Also, client computers that run older versions of the Windows operating system such as Windows NT 3.51 and Windows 95 will experience problems when they try to use resources on the server.