网络访问: 不允许 SAM 帐户和共享的匿名枚举Network access: Do not allow anonymous enumeration of SAM accounts and shares
04/19/2017
本文内容
适用范围Applies to
Windows 10Windows10
介绍网络访问的最佳做法、位置、值和安全注意事项 :不允许 SAM 帐户和共享安全策略设置的匿名枚举。Describes the best practices, location, values, and security considerations for the Network access: Do not allow anonymous enumeration of SAM accounts and shares security policy setting.
参考Reference
此策略设置确定将分配给设备的匿名连接的其他权限。This policy setting determines which additional permissions will be assigned for anonymous connections to the device. Windows 允许匿名用户执行某些活动,例如枚举域帐户和网络共享的名称。Windows allows anonymous users to perform certain activities, such as enumerating the names of domain accounts and network shares. 例如,当管理员要向不维护相互信任关系的受信任域中的用户授予访问权限时,这是很方便的。This is convenient, for example, when an administrator wants to give access to users in a trusted domain that does not maintain a reciprocal trust. 但是,即使启用此策略设置,匿名用户也可以使用显式包含内置组 "匿名登录" 的权限访问资源。However, even with this policy setting enabled, anonymous users will have access to resources with permissions that explicitly include the built-in group, ANONYMOUS LOGON.
此策略设置对域控制器没有影响。This policy setting has no impact on domain controllers.
此策略设置的误用是常见错误,可能会导致数据访问或安全问题丢失或出现问题。Misuse of this policy setting is a common error that can cause data loss or problems with data access or security.
可能值Possible values
EnabledEnabled
禁用Disabled
管理员不能向该设备的匿名连接分配其他权限。No additional permissions can be assigned by the administrator for anonymous connections to the device. 匿名连接将依赖默认权限。Anonymous connections will rely on default permissions. 但是,未经授权的用户可以匿名列出帐户名称,并使用该信息尝试猜测密码或执行社会工程攻击。However, an unauthorized user could anonymously list account names and use the information to attempt to guess passwords or perform social-engineering attacks.
未定义Not defined
位置Location
电脑 Configuration\Windows Settings\Security Settings\Local Policies\Security 选项Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
默认值Default values
下表列出了此策略的实际和有效的默认值。The following table lists the actual and effective default values for this policy. 默认值也在策略的属性页上列出。Default values are also listed on the policy’s property page.
服务器类型或 GPOServer type or GPO
默认值Default value
默认域策略Default Domain Policy
未定义Not defined
默认域控制器策略Default Domain Controller Policy
未定义Not defined
独立服务器默认设置Stand-Alone Server Default Settings
禁用Disabled
DC 有效的默认设置DC Effective Default Settings
禁用Disabled
成员服务器有效的默认设置Member Server Effective Default Settings
禁用Disabled
客户端计算机有效的默认设置Client Computer Effective Default Settings
禁用Disabled
策略管理Policy management
本部分介绍可帮助你管理此策略的功能和工具。This section describes features and tools that are available to help you manage this policy.
重启要求Restart requirement
无。None. 对此策略所做的更改将在本地保存或通过组策略分发时无需重启设备的情况下生效。Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy.
策略冲突Policy conflicts
即使启用此策略设置,匿名用户也可以使用显式包含内置组、匿名登录(在早于 Windows Server2008 和 Windows Vista 的系统上)的权限访问资源。Even with this policy setting enabled, anonymous users will have access to resources with permissions that explicitly include the built-in group, ANONYMOUS LOGON (on systems earlier than Windows Server2008 and Windows Vista).
组策略Group Policy
此策略对域控制器没有影响。This policy has no impact on domain controllers.
安全注意事项Security considerations
本部分介绍攻击者如何利用一项功能或其配置,如何实施对策,以及对策实施可能产生的负面后果。This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
漏洞Vulnerability
未经授权的用户可以匿名列出帐户名称和共享资源,并使用该信息尝试猜测密码或执行社会工程攻击。An unauthorized user could anonymously list account names and shared resources and use the information to attempt to guess passwords or perform social-engineering attacks.
对策Countermeasure
启用 "网络访问:不允许 SAM 帐户和共享的匿名枚举" 设置。Enable the Network access: Do not allow anonymous enumeration of SAM accounts and shares setting.
潜在影响Potential impact
由于信任域中的管理员无法枚举其他域中的帐户列表,因此无法通过单向信任授予对另一个域的用户的访问权限。It is impossible to grant access to users of another domain across a one-way trust because administrators in the trusting domain are unable to enumerate lists of accounts in the other domain. 匿名访问文件和打印服务器的用户无法列出这些服务器上的共享网络资源;用户必须先经过身份验证,然后才能查看共享文件夹和打印机的列表。Users who access file and print servers anonymously are unable to list the shared network resources on those servers; the users must be authenticated before they can view the lists of shared folders and printers.
相关主题Related topics