Network management from an administrative prescriptive is helpful; but improperly configured, it’s an attacker’s dream. Restricting network access can ensure that only authorized users have permission to various entities over the network.
Notice: Before you begin, ensure that this article is relevant to your organization and the Windows version you’re managing. This article is applicable up to Windows 20.04 and meant to remain in-line with how the group policy editor is laid-out.
The following group policy options are located in the following area: Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options
Allow anonymous SID/Name translation
Windows Description: This policy setting determines whether an anonymous user can request security identifier (SID) attributes for another user.
Recommended Configuration: Disabled.
Rationale: This configuration is the default behavior; if enabled, anonymous users with local access could use admin SID’s to learn the real name of the built-in administrator account.
Do not allow anonymous enumeration of SAM accounts
Windows Description: This security setting determines what additional permissions will be granted for anonymous connections to the computer.
Recommended Configuration: Enabled.
Rationale: This configuration is the default behavior; if enabled, this will allow unauthorized users to enumerate account names.
Do not allow anonymous enumeration of SAM accounts and shares
Windows Description: This security setting determines whether anonymous enumeration of SAM accounts and shares is allowed.
Recommended Configuration: Enabled.
Rationale: This configuration prevents unauthorized users from anonymously listing account names and shared resources.
Do not allow storage of passwords and credentials for network authentication
Windows Description: This security setting determines whether Credential Manager saves passwords and credentials for later use when it gains domain authentication.
Recommended Configuration: Enabled.
Rationale: The configuration will prevent unauthorized programs from reading cached network credentials, which gets forwarded to an unauthorized user.
Let Everyone permissions apply to anonymous users
Windows Description: This security setting determines what additional permissions are granted for anonymous connections to the computer.
Recommended Configuration: Disabled.
Rationale: This configuration is the default behavior, though, if enabled, it would give the Anonymous user the Everyone group permissions.
Named Pipes that can be accessed anonymously
Windows Description: This security setting determines which communication sessions (pipes) will have attributes and permissions that allow anonymous access.
Recommended Configuration: None.
Rationale: This configuration reduces the attack surface of a given machine within the Domain.
Remotely accessible registry paths
Windows Description: This security setting determines which registry keys can be accessed over the network, regardless of the users or groups listed in the access control list (ACL) of the winreg registry key.
Recommended Configuration: System\CurrentControlSet\Control\ProductOptions
System\CurrentControlSet\Control\Server Applications
Software\Microsoft\Windows NT\CurrentVersion
Rationale: Because the registry is the backbone of a given system, it must be locked down. If an unauthorized user has access to this, they own the entire system.
Remotely accessible registry paths and sub-paths
Windows Description: This security setting determines which registry paths and subpaths can be accessed over the network, regardless of the users or groups listed in the access control list (ACL) of the winreg registry key.
Recommended Configuration: System\CurrentControlSet\Control\Print\Printers
System\CurrentControlSet\Services\Eventlog
Software\Microsoft\OLAP Server
Software\Microsoft\Windows NT\CurrentVersion\Print
Software\Microsoft\Windows NT\CurrentVersion\Windows
System\CurrentControlSet\Control\ContentIndex
System\CurrentControlSet\Control\Terminal Server
System\CurrentControlSet\Control\Terminal Server\UserConfig
System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration
Software\Microsoft\Windows NT\CurrentVersion\Perflib
System\CurrentControlSet\Services\SysmonLog
Rationale: Because the registry is the backbone of a given system, it must be locked down. If an unauthorized user has access to this, they own the entire system.
Restrict anonymous access to Named Pipes and Shares
Windows Description: When enabled, this security setting restricts anonymous access to shares and pipes to the settings for:
Network access: Named pipes that can be accessed anonymously.
Network access: Shares that can be accessed anonymously.
Recommended Configuration: Enabled.
Rationale: This configuration is the default behavior, but null sessions can be exploited through network shares within your domain.
Restrict clients allowed to make remote calls to SAM
Windows Description: This policy setting allows you to restrict remote rpc connections to SAM.
Recommended Configuration: Enabled; Administrators.
Rationale: This configuration is the default behavior, but this ensures that unauthorized users cannot list local account names or groups.
Shares that can be accessed anonymously
Windows Description: This security setting determines which network shares can accessed by anonymous users.
Recommended Configuration: None.
Rationale: This configuration is the default behavior; if improperly configured, it would allow any user to access shares.
Sharing and security model for local accounts
Windows Description: This security setting determines how network logons that use local accounts are authenticated. If this setting is set to Classic, network logons that use local account credentials authenticate by using those credentials. The Classic model allows fine control over access to resources. By using the Classic model, you can grant different types of access to different users for the same resource.
Recommended Configuration: Classic – local users authenticate as themselves.
Rationale: This is the default configuration, though, if improperly configured, it could allow any user to authenticate to a given computer over the network.
Affiliate Links:
Looking to take your web browsing privacy more seriously? Use my referral link to download brave browser and start browsing without ads and trackers:
Other Articles:
Find other Windows Server Blogs here.
Sources:
These configurations were established with the help from the following sources:
SANS Sample Policies: Click Here.
CIS Controls: Click Here.
Tech Republic Sample Policies: Click Here.