Click here to get back home

Explanation of Anonymous Named Pipes Security Policy
 HomeNewsGroups | Search | About
Login Password
Register Now!
 microsoft.public.windows.server.security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content
Subject Author Date
Explanation of Anonymous Named Pipes Security Policy Will 08-20-2006
Posted by Will on August 20, 2006, 9:28 pm
Please log in for more thread options
 Windows 2003 has a default local security policy that gives Anonymous
acccess to the following named pipes:

COMNAP
COMNODE
SQL\QUERY
SPOOLSS
netlogon
lsarpc
samr
browser

There is a separate security policy setting for Anonymous access to shares:

COMCFG
CFS$

Is there any good documentation for what each of these is, and why Windows
2003 wants anonymous access to them? Which of these can safely be removed
for:

- standalone server
- member server in a domain
- domain controller

--
Will



Posted by Joe Richards [MVP] on August 20, 2006, 11:49 pm
Please log in for more thread options
 I have never seen these documented in any detail and don't really expect
it. Stuff like this that has been around for ages it would be nice to
have documentation for but seems to be very difficult for MSFT to
document because I don't think they know for sure everywhere that it is
being used. Not a great answer, but that is how it stands.

You could set up long term network tracing and watch for the access to
the named pipes. Alternately you could close them off and wait for
something to break.

--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm


Will wrote:
> Windows 2003 has a default local security policy that gives Anonymous
> acccess to the following named pipes:
>
> COMNAP
> COMNODE
> SQL\QUERY
> SPOOLSS
> netlogon
> lsarpc
> samr
> browser
>
> There is a separate security policy setting for Anonymous access to shares:
>
> COMCFG
> CFS$
>
> Is there any good documentation for what each of these is, and why Windows
> 2003 wants anonymous access to them? Which of these can safely be removed
> for:
>
> - standalone server
> - member server in a domain
> - domain controller
>

Posted by Roger Abell [MVP] on August 21, 2006, 1:43 am
Please log in for more thread options
Will,

Read in the Wiindows Server 2003 Security guide.
There you will see that the two you mention are also controlled by the
setting to allow (or not) anonymous access to shares and named pipes,
and if I recall correctly, the guide recommends emptying the list of
shares for high sec environment.
The named pipes can be trimmed significantly for most machines.
The guide gives use information for these as

COMNAP - SNA session access
COMNODE - SNA session access
SQL\QUERY - SQL instance access
SPOOLSS - Spooler service
LLSRPC - License Logging service
Netlogon - Net Logon service
Lsarpc - LSA access
Samr - SAM access
browser - Computer Browser service

which is pretty fully informative except for maybe Samr, which is
the protocol for remote management of objects in the Sam.

> Windows 2003 has a default local security policy that gives Anonymous
> acccess to the following named pipes:
>
> COMNAP
> COMNODE
> SQL\QUERY
> SPOOLSS
> netlogon
> lsarpc
> samr
> browser
>
> There is a separate security policy setting for Anonymous access to
> shares:
>
> COMCFG
> CFS$
>
> Is there any good documentation for what each of these is, and why Windows
> 2003 wants anonymous access to them? Which of these can safely be
> removed
> for:
>
> - standalone server
> - member server in a domain
> - domain controller
>
> --
> Will
>
>



Posted by Will on August 21, 2006, 8:38 pm
Please log in for more thread options
This is really helpful and thanks.

What is SNA?

Remote management of objects in my SAM...just what every standalone Windows
box in a DMZ needs! :)

I tried to empty the list, and immediately many Windows 2003 applications
start to hang when you logout. So it's back to making smaller random
experiments and just praying something else doesn't break later.

--
Will


> Read in the Wiindows Server 2003 Security guide.
> There you will see that the two you mention are also controlled by the
> setting to allow (or not) anonymous access to shares and named pipes,
> and if I recall correctly, the guide recommends emptying the list of
> shares for high sec environment.
> The named pipes can be trimmed significantly for most machines.
> The guide gives use information for these as
>
> COMNAP - SNA session access
> COMNODE - SNA session access
> SQL\QUERY - SQL instance access
> SPOOLSS - Spooler service
> LLSRPC - License Logging service
> Netlogon - Net Logon service
> Lsarpc - LSA access
> Samr - SAM access
> browser - Computer Browser service
>
> which is pretty fully informative except for maybe Samr, which is
> the protocol for remote management of objects in the Sam.



Posted by Roger Abell [MVP] on August 23, 2006, 1:36 am
Please log in for more thread options
> This is really helpful and thanks.
>

por nada

> What is SNA?
>

An IBM protocol that pre-existed Tcp/Ip and formed first cut
at the 7 layer model of network protocols. I don't recall at the
moment but think it was System rather than Server in System
Network Architecture = SNA
You need those if you articulate with IBM mainframe world,
such as with the MS product aimed at that intercommunication.

> Remote management of objects in my SAM...just what every standalone
> Windows
> box in a DMZ needs! :)

Mostly used in situations like domain join, new account creation, etc.

>
> I tried to empty the list, and immediately many Windows 2003 applications
> start to hang when you logout. So it's back to making smaller random
> experiments and just praying something else doesn't break later.

You want LSA and if in domain Netlogon
If people need to find the list of SQL instances installed SQL/Query, but
not just to use and SQL if they know what instance
Spooler of course supports print services
Browser if will be participating in MS Networking (browse lists, etc.)

>
> --
> Will
>
>
>> Read in the Wiindows Server 2003 Security guide.
>> There you will see that the two you mention are also controlled by the
>> setting to allow (or not) anonymous access to shares and named pipes,
>> and if I recall correctly, the guide recommends emptying the list of
>> shares for high sec environment.
>> The named pipes can be trimmed significantly for most machines.
>> The guide gives use information for these as
>>
>> COMNAP - SNA session access
>> COMNODE - SNA session access
>> SQL\QUERY - SQL instance access
>> SPOOLSS - Spooler service
>> LLSRPC - License Logging service
>> Netlogon - Net Logon service
>> Lsarpc - LSA access
>> Samr - SAM access
>> browser - Computer Browser service
>>
>> which is pretty fully informative except for maybe Samr, which is
>> the protocol for remote management of objects in the Sam.
>
>



Similar ThreadsPosted
Shares, Named Pipes, and Registry for Anonymous Remote Access February 23, 2007, 2:24 am
How to Fix: Anonymous Session Connected; Attempted to Open an LSA Policy Handle. Event 6033 September 26, 2007, 4:41 pm
SAMR named pipe January 31, 2008, 10:35 am
Security Policy Can't be apply January 28, 2008, 11:37 pm
Domain Controller Security Policy August 12, 2005, 4:31 pm
Audit Policy (security logs) August 20, 2007, 10:18 pm
data security policy examples July 19, 2008, 7:05 pm
Win2k3 SP1 security policy changes - COM dies after SP1 install August 1, 2005, 12:13 am
Accessing Local Security Policy Programatically August 3, 2006, 11:35 am
Local Security Policy "Effective Settings" September 1, 2006, 7:24 pm

Our other projects:

Art Dolls, Fairies and Mermaids - Sunnyfaces.net

Roy's Linux, Programming and Search Engines messages

1-Script XML SitemapXML Sitemap