Allowing anonymous enumeration of Security Account Manager(SAM) accounts exposes significant security risks. In this post, we explain SAM, the risks involved, and how to harden your system against them.
What You Will Learn
- What are SAM accounts?
- Why allowing anonymous enumeration is a serious security risk.
- How attackers exploit this setting.
- Why is it recommended to disable anonymous enumeration?
- How CalCom CHS Automates This Hardening Policy.
What is the SAM Account Anonymous Enumeration?
The two policies control the enumeration of SAM accounts by anonymous users. Use these policy settings to disable this feature.
Until Windows 2000, hackers deleted SAM files to bypass local authentication and log in to any account without a password. Microsoft fixed this issue. However, utilities such as an emulated virtual device or a boot disk enable workarounds.
Disabling Anonymous Enumeration
This policy governs permissions assigned to anonymous connections to the device. Anonymous users are allowed to perform certain activities by Windows, like enumerating the names of domain accounts and network shares.
According to the Center for Internet Security (CIS), automated server hardening increases security and restricts anonymous users from enumerating accounts. This reduces the risk of human error and streamlines the configuration process.
When this policy setting is enabled, anonymous users can access resources with permissions, including the built-in group Anonymous Logon.
Configure: Do not allow anonymous enumeration of SAM accounts
To configure via Group Policy, set the following UI path to Enabled:
| Computer ConfigurationPoliciesWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsNetwork access: Do not allow anonymous enumeration of SAM accounts |
Do not allow anonymous enumeration of SAM accounts and shares
This policy setting controls the ability of anonymous users to enumerate SAM accounts and shares. If you enable this policy setting, anonymous users will not be able to enumerate domain account user names and network share names on the systems in your environment. This prevents unauthorized users from anonymously listing account names and shared resources. Now, they can’t guess passwords or perform social engineering attacks.
Configure anonymous enumeration of shares.
To configure via Group Policy, set the following UI path to Enabled:
| Computer ConfigurationPoliciesWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsNetwork access: Do not allow anonymous enumeration of SAM accounts and shares |
Possible Configuration Values
The settings are: Enabled and Disabled
An administrator cannot assign additional permissions for anonymous connections. These rely solely on default permissions. However, an unauthorized user can anonymously list account names and use the information to guess passwords or conduct social engineering attacks.
Where is SAM stored
The SAM database file is stored within C:WindowsSystem32config. All of the data within the file is encrypted. The password hashes are stored in HKEY_LOCAL_MACHINE\SAM.
Potential impact of vulnerability
It will be impossible to establish trusts with Windows NT 4.0–based domains. Additionally, client computers running older versions of the Windows operating system, such as Windows NT 3.51 and Windows 95, will encounter issues when attempting to access resources on the server.
Key Takeaways
- Anonymous SAM enumeration exposes usernames and account details
- This vulnerability increases the risk of unauthorized access.
- Disabling anonymous enumeration is a recommended hardening practice
- Compliance frameworks require strict account security controls
- CalCom CHS automates the enforcement of this setting
How CalCom Disables SAM Anonymous Account Enumeration
CalCom Hardening Suite (CHS) automates disabling anonymous enumeration of SAM accounts. This protects sensitive credentials, ensures compliance with CIS and Microsoft guidelines, and maintains production stability without manual effort. This prevents attackers from gaining a foothold.
