Discussion:
Disable anonymous enumeration of SAM on a domain ?
(too old to reply)
iautran
2007-03-26 15:03:11 UTC
Permalink
Hi,

I would like to disable the anonymous enumeration of SAM accounts from
computers that are not joined to the domain.

I have modified the default domain controller policy to enable the "Do
not allow anonymous enumeration of SAM accounts"; ""Do not allow
anonymous enumeration of SAM accounts and shares" but I can still
enumerate the accounts (with enum.exe) from a laptop not joined to the
domain (and not using an identical local username/password as one in
the domain).

Do you have any idea ?

Thank you !
--
iautran
Jorge de Almeida Pinto [MVP - DS]
2007-03-26 21:18:25 UTC
Permalink
to be sure nothing breaks....

have a look at:
MS-KBQ823659_Client, service, and program incompatibilities that may occur
when you modify security settings and user rights assignments
--
Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* How to ask a question --> http://support.microsoft.com/?id=555375
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------
Post by iautran
Hi,
I would like to disable the anonymous enumeration of SAM accounts from
computers that are not joined to the domain.
I have modified the default domain controller policy to enable the "Do
not allow anonymous enumeration of SAM accounts"; ""Do not allow anonymous
enumeration of SAM accounts and shares" but I can still enumerate the
accounts (with enum.exe) from a laptop not joined to the domain (and not
using an identical local username/password as one in the domain).
Do you have any idea ?
Thank you !
--
iautran
Joe Richards [MVP]
2007-03-27 00:15:25 UTC
Permalink
I am pretty sure that setting is ignored on DCs, it will only be applied
to member machines. I.E. it is very important for that to work on DCs.

--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm
Post by iautran
Hi,
I would like to disable the anonymous enumeration of SAM accounts from
computers that are not joined to the domain.
I have modified the default domain controller policy to enable the "Do
not allow anonymous enumeration of SAM accounts"; ""Do not allow
anonymous enumeration of SAM accounts and shares" but I can still
enumerate the accounts (with enum.exe) from a laptop not joined to the
domain (and not using an identical local username/password as one in
the domain).
Do you have any idea ?
Thank you !
unknown
2007-03-27 07:54:43 UTC
Permalink
Hi Jorge and Joe.

Thank you Jorge, I have already read this article.

So, if I understood, you are saying that it is not possible to stop the
anonymous enumerations of the SAM on DC's?
Everybody that has a physical access to the network (without any domain
account) would list every users in AD?

Thanks :)
I am pretty sure that setting is ignored on DCs, it will only be applied to
member machines. I.E. it is very important for that to work on DCs.
--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net
---O'Reilly Active Directory Third Edition now available---
http://www.joeware.net/win/ad3e.htm
Post by iautran
Hi,
I would like to disable the anonymous enumeration of SAM accounts from
computers that are not joined to the domain.
I have modified the default domain controller policy to enable the "Do not
allow anonymous enumeration of SAM accounts"; ""Do not allow anonymous
enumeration of SAM accounts and shares" but I can still enumerate the
accounts (with enum.exe) from a laptop not joined to the domain (and not
using an identical local username/password as one in the domain).
Do you have any idea ?
Thank you !
--
bigstyle
MVP Windows Server - Directory Services
MCSE 2000/2003 Security
iautran
2007-03-29 09:37:34 UTC
Permalink
I am pretty sure that setting is ignored on DCs, it will only be applied to
member machines. I.E. it is very important for that to work on DCs.
--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net
---O'Reilly Active Directory Third Edition now available---
http://www.joeware.net/win/ad3e.htm
Post by iautran
Hi,
I would like to disable the anonymous enumeration of SAM accounts from
computers that are not joined to the domain.
I have modified the default domain controller policy to enable the "Do not
allow anonymous enumeration of SAM accounts"; ""Do not allow anonymous
enumeration of SAM accounts and shares" but I can still enumerate the
accounts (with enum.exe) from a laptop not joined to the domain (and not
using an identical local username/password as one in the domain).
Do you have any idea ?
Thank you !
Finally do you think there is a solution to stop anonymous enumeration
from any computers not joined to the domain?

Thank you
--
iautran
Joe Richards [MVP]
2007-04-06 03:44:03 UTC
Permalink
Well there is nothing like that specific to that in the OS for DCs. You
could try to work out some sort of ipsec policies I guess.

--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm
Post by iautran
Post by Joe Richards [MVP]
I am pretty sure that setting is ignored on DCs, it will only be
applied to member machines. I.E. it is very important for that to work
on DCs.
--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net
---O'Reilly Active Directory Third Edition now available---
http://www.joeware.net/win/ad3e.htm
Post by iautran
Hi,
I would like to disable the anonymous enumeration of SAM accounts
from computers that are not joined to the domain.
I have modified the default domain controller policy to enable the
"Do not allow anonymous enumeration of SAM accounts"; ""Do not allow
anonymous enumeration of SAM accounts and shares" but I can still
enumerate the accounts (with enum.exe) from a laptop not joined to
the domain (and not using an identical local username/password as
one in the domain).
Do you have any idea ?
Thank you !
Finally do you think there is a solution to stop anonymous enumeration
from any computers not joined to the domain?
Thank you
Loading...