Network access: Restrict anonymous access to Named Pipes and SharesID: oval:org.secpod.oval:def:35232 | Date: (C)2016-06-10 (M)2023-12-13 |
Class: COMPLIANCE | Family: windows |
When enabled, this security setting restricts anonymous access to shares and pipes to the settings for:
Network access: Named pipes that can be accessed anonymously
Network access: Shares that can be accessed anonymously
Default: Enabled.
Counter Measure:
Configure the Network access: Restrict anonymous access to Named Pipes and Shares setting to Enabled.
Potential Impact:
You can enable this policy setting to restrict null session access for unauthenticated users to all server pipes and shared folders except those that are listed in the NullSessionPipes and NullSessionShares entries.
If you choose to enable this setting and are supporting Windows NT 4.0 domains, you should check if any of the named pipes are required to maintain trust relationships between the domains, and then add the pipe to the Network access: Named pipes that can be accessed anonymously:
- COMNAP-SNA session access
- COMNODE-SNA session access
- SQL\QUERY-SQL instance access
- SPOOLSS-Spooler service
- LLSRPC-License Logging service
- Netlogon-Net Logon service
- Lsarpc-LSA access
- Samr-Remote access to SAM objects
- browser-Computer Browser service
Previous to the release of Windows Server 2003 with Service Pack 1 (SP1) these named pipes were allowed anonymous access by default, but with the increased hardening in Windows Server 2003 with SP1 these pipes must be explicitly added if needed."
Fix:
(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Network access: Restrict anonymous access to Named Pipes and Shares
(2) REG: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters!restrictnullsessaccess
Platform: |
Microsoft Windows 10 |