115
The
Network access: Let Everyone permissions apply to anonymous users
security option setting
determines what additional permissions are granted for anonymous connections to the computer.
Enabling this setting allows anonymous Windows users to perform certain activities, such as
enumerating the names of domain accounts and network shares. An unauthorized user could
anonymously list account names and shared resources and use the information to guess passwords or
perform social engineering attacks. Therefore, this setting is configured to
Disabled
in the three
environments defined in this guide.
Network access: Shares that can be accessed anonymously
Member Server Default
Legacy Client
Enterprise Client
High Security Client
COMCFG,DFS$
None None None
Important:
Enabling this Group Policy setting is very dangerous; any shares that are listed can be
accessed by any network user. This could lead to the exposure or corruption of sensitive corporate
data. However, administrators within multi-protocol heterogeneous environments may need to check
their 3
rd
party applications within their NAS box, as well as other server systems within the network,
and verify that they are still functioning properly.
The
Network access: Shares that can be accessed anonymously
security option setting determines
which network shares can be accessed by anonymous users. The default for this setting has little
impact as all users have to be authenticated before they can access shared resources on the server.
Therefore, ensure that this setting is configured to
None
in the three environments defined in this
guide.
Network security: Do not store LAN Manager hash value on next password change
Member Server Default
Legacy Client
Enterprise Client
High Security Client
Disabled
Enabled Enabled Enabled
Important:
Very old legacy operating systems and some third-party applications may fail when this
setting is enabled. Also administrators will need to change the password on all accounts after
enabling this setting. Administrators within multi-protocol heterogeneous environments may want to
verify all applications and protocol communications are working properly within their environment
once this setting is set. This setting must be set to
Disabled
for HP NAS server systems within multi-
protocol network environments involving NFS, AFTP, or NCP.
The
Network security: Do not store LAN Manager hash value on next password change
security
option setting determines whether the LAN Manager (LM) hash value for the new password is stored
when the password is changed. The LM hash is relatively weak and prone to attack, as compared
with the cryptographically stronger Windows NT hash. For this reason, this setting is configured to
Enabled
in the security environments defined in this guide.
Network security: LAN Manager authentication level
Member Server Default
Legacy Client
Enterprise Client
High Security Client
Send NTLM response
only
Send NTLM response
only
Send NTLM response
only
Send NTLMv2 response
only\ refuse LM &
NTLM
Important:
Administrators within multi-protocol heterogeneous environments may want to verify all
applications and protocol communications are working properly within their NAS box, and other
servers within their network, once this setting is set. If administrators find applications that break
when this setting is enabled, roll it back one step at a time to discover what breaks. At a minimum,
this setting should be set to
Send LM & NTLM-use NTLMv2 session security if negotiated
on all
computers and can typically be set to
Send NTLMv2 responses only
on all computers in the
environment.
