NULL session restrictions: registry values and security options (2/2)

• RestrictAnonymousSam (Windows XP, Windows 2003)

  • Network access: Do not allow anonymous enumeration of SAM accounts
  • Enabled by default, preventing anonymous access to samr

• Network access: Allow anonymous SID/Name translation

  • Disabled by default
  • Modifies the security descriptor on LSA policy object, to deny or allow anonymous SID to name translation

• TurnOffAnonymousBlock (Windows 2003)

  • Not present by default, preventing anonymous access to lsarpc
  • When present and set to 1, allow anonymous access to lsarpc