Anyone taken the plunge with "Do not allow anonymous enumeration of SAM account

Giganews Newsgroups
Subject: Anyone taken the plunge with "Do not allow anonymous enumeration of SAM account
Posted by:  Trust No One (dana.scul…@usa.net)
Date: Mon, 20 Aug 2007

Hi Folks,

I've had this one on the backburner for sometime, but I've reached the
stage where I finally need to decide whether I should attempt to
"secure" our AD by setting the policy "Do not allow anonymous
enumeration of SAM accounts and shares" to enabled on our domain
controllers and member servers.

Our AD is largish - about 40,000 user accounts with a hub datacentre
and 50 domain controller locations worldwide. Certainly not  as large
as some of the implementations on here but still not small either :)

All our domain controllers run Windows 2003 SP1, and all client
workstations run Windows XP SP2. Our member servers are a combination
of Windows 2003 SP1 and Windows 2000 SP4. There are no legacy windows
clients on our network or trusts to down-level domains. We are about
to rollout Windows 2003 SP2.

The scenario seems ripe for implementation of this setting which is
equivalent to RestrictAnonymous=2 in Windows 2000, and restricts null
sessions and the information that can be retrieved by anonymous user
accounts.

I've read just about every MSFT whitepaper, KB Article and 3rd party
security article I can lay my hands on, and they generally agree that
this setting is "nice to have" in W2K and above environments. However
I notice that Microsoft usually qualify their recommendations with
statements such as "it may break some legacy applications and
services" and "proceed at your own risk after extensive testing" :)

Particular problem areas seem to be printing as apparently you cannot
select printers from AD - not sure if this applies to W2K only,
enumerating accounts across one way trust relationships - not sure if
this applies to legacy trusts only, and also it breaks the browser
service.

So.. Has anyone out there successfully implemented this policy on
their Active Directory. Did you come across any problems with printing
or trust relationships? The browser service shouldn't really be an
issue with W2K and above, and indeed we significantly restricted the
browser interval using the Masterperiodicity setting as the service
was chucking gigabytes of data daily across our WAN!

Advice and "gotchas" most appreciated. We have gone through the pain
of upgrading our AD to Windows 2003 forest function level and we'd
certainly like to secure it as much as possible, given that we run
only Windows XP, and W2K\W2K3 clients.

--
Peter <X-Files Fan>

Replies