should anonymous access to the IPC share be allowed on Windows 2008 r2
During an audit the question of anonymous access to the IPC$(null sessions) share was raised. The audit lists the following as being a risk on a Windows 2008r2 file server:
C:\>net use \\fileserver\ipc$ "" /user:""
The command completed successfully.
I've confirmed that the following settings are configured
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\
Network access: Allow anonymous SID/Name translation = disabled
Network access: Do not allow anonymous enumeration of SAM accounts =enabled
Network access: Do not allow anonymous enumeration of SAM accounts and shares =enabled
Network access: Let Everyone permissions apply to anonymous users=disabled
Network access: Named Pipes that can be accessed anonymously= <blank>
Network access: Shares that can be accessed anonymously= <blank>
and that anonymous enumeration(shares, users, etc..) does not work, but I've been told that if the above command completes successfully then the risk remains and we need to correct it. I'm at a loss as to what other settings would fix this and do not want to script the deletion of the share. Are there any other settings that need to be set? Should these setting cause the anonymous connection to fail? Is there anything else I might have missed?
Solution 1:
Change the registry value:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\
RestrictAnonymous = 2
Or, if you'd rather do it via Group Policy:
Network access: Restrict anonymous access to Named Pipes and Shares = Enabled.
Also you want to make sure that
Network access: Let Everyone permissions apply to anonymous users
is set to Disabled. This corresponds to the registry entry:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\
EveryoneIncludesAnonymous = 0