should anonymous access to the IPC share be allowed on Windows 2008 r2
Change the registry value:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\
RestrictAnonymous = 2
Or, if you'd rather do it via Group Policy:
Network access: Restrict anonymous access to Named Pipes and Shares = Enabled.
Also you want to make sure that
Network access: Let Everyone permissions apply to anonymous users
is set to Disabled. This corresponds to the registry entry:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\
EveryoneIncludesAnonymous = 0
Related videos on Youtube
33 : 50
14 : 15
05 : 44
12 : 15
01 : 35
01 : 41
10 : 09
06 : 55
5y5tem5
Updated on September 18, 2022Comments
-
5y5tem5 almost 2 years
During an audit the question of anonymous access to the IPC$(null sessions) share was raised. The audit lists the following as being a risk on a Windows 2008r2 file server:
C:\>net use \\fileserver\ipc$ "" /user:"" The command completed successfully.I've confirmed that the following settings are configured
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\ Network access: Allow anonymous SID/Name translation = disabled Network access: Do not allow anonymous enumeration of SAM accounts =enabled Network access: Do not allow anonymous enumeration of SAM accounts and shares =enabled Network access: Let Everyone permissions apply to anonymous users=disabled Network access: Named Pipes that can be accessed anonymously= <blank> Network access: Shares that can be accessed anonymously= <blank>and that anonymous enumeration(shares, users, etc..) does not work, but I've been told that if the above command completes successfully then the risk remains and we need to correct it. I'm at a loss as to what other settings would fix this and do not want to script the deletion of the share. Are there any other settings that need to be set? Should these setting cause the anonymous connection to fail? Is there anything else I might have missed?
-
Ryan Ries over 9 yearsAnd you've rebooted since changing the settings? And you've confirmed that the problem actually does really still exist? (In other words, it's not a false positive?) -
5y5tem5 over 9 yearsyes I've rebooted. Yes the "problem" does in fact exist.. I'm just not sure if it really is a problem or if its expected behavior IE should I be getting an access denied error when I attempt to connect anonymously to the IPC$ share, or should it complete and just not allow me to enumerate any local resources. If it's the latter then their report is wrong if it's the former then something is wrong with my setup...
-
raja over 9 yearsWhile my answer was for some odd reason downvoted, it reflects the guidance from the Microsoft guide on the matter. Also use the group policy settings rather than the reg keys.
