WinSecWiki > Security Settings > Local Policies > Security Options > Network Access > Do not allow anonymous enumeration of SAM accounts and shares

Network access: Do not allow anonymous enumeration of SAM accounts and shares

Note: this policy has no impact on the enumeration of user accounts. This policy should have simply been named “Network access: Do not allow anonymous enumeration of shares”. To control enumeration of accounts see “Network access: Do not allow anonymous enumeration of SAM accounts”.

By default, Windows 2003 and XP disable “Network access: Do not allow anonymous enumeration of SAM accounts and shares” and enable “Network access: Do not allow anonymous enumeration of SAM accounts”. 

With these defaults, the result is that anonymous connections can enumerate shares but can't list local user accounts. 

Anonymous enumeration of user accounts is one way attackers can obtain usernames for use in social engineering or for which they can try to guess the passwords. 

Anonymous enumeration of shares is less of a risk, but it does obviously provide an attacker a list of folders to try to access if he or she succeeds in logging on to the computer. 

Bottom line

Enable this policy on windows and member servers but be careful about enabling it on domain controllers since it can cause connectivity problems for users in one-way trusted domains from listing shared folders on servers in this domain.

Back to top

 

Additional Resources