Click here to get back home

SAMR named pipe
 HomeNewsGroups | Search | About
Login Password
Register Now!
 microsoft.public.windows.server.security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content
Subject Author Date
SAMR named pipe adrianwheway 01-31-2008
`--> Re: SAMR named pipe Lognoul, Marc [...01-31-2008
Posted by adrianwheway on January 31, 2008, 10:35 am
Please log in for more thread options
 Hi there,

On my Windows 2003 servers I prevent anonymous sid and name
translation, I do not allow anonymous enumeration of SAM accounts or
shares and I do not allow the everyone permission to apply to
anonymous users. I also do not allow any named pipes to be accessed
anonymously.

I have an application that manages passwords and in order to change
the passwords of accounts on remote servers across the network, the
target servers must allow anonymous access to the named pipe SAMR.

Are there any serious security implications if I allow anonymous
access to the SAMR named pipe, but keep the other restrictions in
place?

Thanks,
Adrian.

Posted by Lognoul, Marc [Private] on January 31, 2008, 3:48 pm
Please log in for more thread options
 Doing so would allow an unauthenticated user or system to "harvest" users,
groups and other security-related information.
This would ease password guessing.

I found pretty strange that an application managing password needs anonymous
access. Is this application rather old?

--
KR/Amicalement/MVG,
Marc

> Hi there,
>
> On my Windows 2003 servers I prevent anonymous sid and name
> translation, I do not allow anonymous enumeration of SAM accounts or
> shares and I do not allow the everyone permission to apply to
> anonymous users. I also do not allow any named pipes to be accessed
> anonymously.
>
> I have an application that manages passwords and in order to change
> the passwords of accounts on remote servers across the network, the
> target servers must allow anonymous access to the named pipe SAMR.
>
> Are there any serious security implications if I allow anonymous
> access to the SAMR named pipe, but keep the other restrictions in
> place?
>
> Thanks,
> Adrian.


Similar ThreadsPosted
SAMR OpenUser fails with C0000022 December 10, 2007, 10:26 am
SAMR Interface Calls and Active Directory March 29, 2006, 8:16 am
Explanation of Anonymous Named Pipes Security Policy August 20, 2006, 9:28 pm
Shares, Named Pipes, and Registry for Anonymous Remote Access February 23, 2007, 2:24 am

Our other projects:

Art Dolls, Fairies and Mermaids - Sunnyfaces.net

Roy's Linux, Programming and Search Engines messages

1-Script XML SitemapXML Sitemap