WinSecWiki > Security Settings > Local Policies > Security Options > Network Access > Do not allow anonymous enumeration of SAM accounts

Network access: Do not allow anonymous enumeration of SAM accounts

This setting controls the RestrictAnonymousSAM registry value, which also resides in the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa registry subkey. RestrictAnonymousSAM specifies whether anonymous connections can enumerate the user accounts on the local system (if a domain controller this would be domain accounts). 

By default, Windows 2003 and XP disable “Network access: Do not allow anonymous enumeration of SAM accounts and shares” and enable “Network access: Do not allow anonymous enumeration of SAM accounts”. 

With these defaults, the result is that anonymous connections can enumerate shares but can't list local user accounts. 

Anonymous enumeration of user accounts is one way attackers can obtain usernames for use in social engineering or for which they can try to guess the passwords. 

Anonymous enumeration of shares is less of a risk, but it does obviously provide an attacker a list of folders to try to access if he or she succeeds in logging on to the computer.

Note: the similarly named “Network access: Do not allow anonymous enumeration of SAM accounts and shares” policy has no impact on the enumeration of user accounts. That policy should have simply been named “Network access: Do not allow anonymous enumeration of shares”.

Back to top

 

Upcoming Webinars Uncovering and Addressing the Blind Spots in Privileged Access Management Agentless Event Log Collection for the Modern Entra-Joined Windows 11 Endpoint The Changing Landscape of Authentication and Logon Tracking in Hybrid Environments of Entra and AD

Additional Resources