Categories
Group Policy Windows Server

Group Policy: Network Access Security Options

Network management from an administrative prescriptive is helpful; but improperly configured, it’s an attacker’s dream. Restricting network access can ensure that only authorized users have permission to various entities over the network.

Notice: Before you begin, ensure that this article is relevant to your organization and the Windows version you’re managing. This article is applicable up to Windows 20.04 and meant to remain in-line with how the group policy editor is laid-out.

The following group policy options are located in the following area: Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options

Allow anonymous SID/Name translation

Windows Description: This policy setting determines whether an anonymous user can request security identifier (SID) attributes for another user.

Recommended Configuration: Disabled.

Rationale: This configuration is the default behavior; if enabled, anonymous users with local access could use admin SID’s to learn the real name of the built-in administrator account.

Do not allow anonymous enumeration of SAM accounts

Windows Description: This security setting determines what additional permissions will be granted for anonymous connections to the computer.

Recommended Configuration: Enabled.

Rationale: This configuration is the default behavior; if enabled, this will allow unauthorized users to enumerate account names.

(adsbygoogle = window.adsbygoogle || []).push({});

Do not allow anonymous enumeration of SAM accounts and shares

Windows Description: This security setting determines whether anonymous enumeration of SAM accounts and shares is allowed.

Recommended Configuration: Enabled.

Rationale: This configuration prevents unauthorized users from anonymously listing account names and shared resources.

Do not allow storage of passwords and credentials for network authentication

Windows DescriptionThis security setting determines whether Credential Manager saves passwords and credentials for later use when it gains domain authentication.

Recommended Configuration: Enabled.

Rationale: The configuration will prevent unauthorized programs from reading cached network credentials, which gets forwarded to an unauthorized user.

(adsbygoogle = window.adsbygoogle || []).push({});

Let Everyone permissions apply to anonymous users

Windows Description: This security setting determines what additional permissions are granted for anonymous connections to the computer.

Recommended Configuration: Disabled.

Rationale: This configuration is the default behavior, though, if enabled, it would give the Anonymous user the Everyone group permissions.

Named Pipes that can be accessed anonymously

Windows Description: This security setting determines which communication sessions (pipes) will have attributes and permissions that allow anonymous access.

Recommended Configuration: None.

Rationale: This configuration reduces the attack surface of a given machine within the Domain.

(adsbygoogle = window.adsbygoogle || []).push({});

Remotely accessible registry paths

Windows Description: This security setting determines which registry keys can be accessed over the network, regardless of the users or groups listed in the access control list (ACL) of the winreg registry key.

Recommended Configuration: System\CurrentControlSet\Control\ProductOptions

System\CurrentControlSet\Control\Server Applications 

Software\Microsoft\Windows NT\CurrentVersion

Rationale: Because the registry is the backbone of a given system, it must be locked down. If an unauthorized user has access to this, they own the entire system.

Remotely accessible registry paths and sub-paths

Windows Description: This security setting determines which registry paths and subpaths can be accessed over the network, regardless of the users or groups listed in the access control list (ACL) of the winreg registry key.

Recommended Configuration: System\CurrentControlSet\Control\Print\Printers

System\CurrentControlSet\Services\Eventlog 

Software\Microsoft\OLAP Server 

Software\Microsoft\Windows NT\CurrentVersion\Print 

Software\Microsoft\Windows NT\CurrentVersion\Windows 

System\CurrentControlSet\Control\ContentIndex 

System\CurrentControlSet\Control\Terminal Server 

System\CurrentControlSet\Control\Terminal Server\UserConfig 

System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration 

Software\Microsoft\Windows NT\CurrentVersion\Perflib 

System\CurrentControlSet\Services\SysmonLog

Rationale: Because the registry is the backbone of a given system, it must be locked down. If an unauthorized user has access to this, they own the entire system.

(adsbygoogle = window.adsbygoogle || []).push({});

Restrict anonymous access to Named Pipes and Shares

Windows Description: When enabled, this security setting restricts anonymous access to shares and pipes to the settings for:

Network access: Named pipes that can be accessed anonymously.

Network access: Shares that can be accessed anonymously.

Recommended Configuration: Enabled.

Rationale: This configuration is the default behavior, but null sessions can be exploited through network shares within your domain.

Restrict clients allowed to make remote calls to SAM

Windows Description: This policy setting allows you to restrict remote rpc connections to SAM.

Recommended Configuration: Enabled; Administrators.

RationaleThis configuration is the default behavior, but this ensures that unauthorized users cannot list local account names or groups.

(adsbygoogle = window.adsbygoogle || []).push({});

Shares that can be accessed anonymously

Windows DescriptionThis security setting determines which network shares can accessed by anonymous users.

 

Recommended Configuration: None.

Rationale: This configuration is the default behavior; if improperly configured, it would allow any user to access shares.

Sharing and security model for local accounts

Windows Description: This security setting determines how network logons that use local accounts are authenticated. If this setting is set to Classic, network logons that use local account credentials authenticate by using those credentials. The Classic model allows fine control over access to resources. By using the Classic model, you can grant different types of access to different users for the same resource.

Recommended Configuration: Classic – local users authenticate as themselves.

Rationale: This is the default configuration, though, if improperly configured, it could allow any user to authenticate to a given computer over the network.

(adsbygoogle = window.adsbygoogle || []).push({});
Affiliate Links:

Looking to take your web browsing privacy more seriously? Use my referral link to download brave browser and start browsing without ads and trackers:

https://brave.com/hel592

Other Articles:

Find other Windows Server Blogs here.

Sources:

These configurations were established with the help from the following sources:

SANS Sample Policies: Click Here.

CIS Controls: Click Here.

Tech Republic Sample Policies: Click Here.

(adsbygoogle = window.adsbygoogle || []).push({});

Leave a Reply

Your email address will not be published. Required fields are marked *