Re: Explanation of Anonymous Named Pipes Security Policy
- From: "Roger Abell [MVP]" <mvpNoSpam@xxxxxxx>
- Date: Sun, 20 Aug 2006 22:43:08 -0700
Will,
Read in the Wiindows Server 2003 Security guide.
There you will see that the two you mention are also controlled by the
setting to allow (or not) anonymous access to shares and named pipes,
and if I recall correctly, the guide recommends emptying the list of
shares for high sec environment.
The named pipes can be trimmed significantly for most machines.
The guide gives use information for these as
COMNAP - SNA session access
COMNODE - SNA session access
SQL\QUERY - SQL instance access
SPOOLSS - Spooler service
LLSRPC - License Logging service
Netlogon - Net Logon service
Lsarpc - LSA access
Samr - SAM access
browser - Computer Browser service
which is pretty fully informative except for maybe Samr, which is
the protocol for remote management of objects in the Sam.
"Will" <westes-usc@xxxxxxxxxxxxxx> wrote in message
news:%23qOVcEMxGHA.3264@xxxxxxxxxxxxxxxxxxxxxxx
Windows 2003 has a default local security policy that gives Anonymous
acccess to the following named pipes:
COMNAP
COMNODE
SQL\QUERY
SPOOLSS
netlogon
lsarpc
samr
browser
There is a separate security policy setting for Anonymous access to
shares:
COMCFG
CFS$
Is there any good documentation for what each of these is, and why Windows
2003 wants anonymous access to them? Which of these can safely be
removed
for:
- standalone server
- member server in a domain
- domain controller
--
Will
.
- Follow-Ups:
- References:
- Prev by Date: Re: Explanation of Anonymous Named Pipes Security Policy
- Next by Date: MSS tcp registry values in windwos 2003 server security guide
- Previous by thread: Re: Explanation of Anonymous Named Pipes Security Policy
- Next by thread: Re: Explanation of Anonymous Named Pipes Security Policy
- Index(es):
Relevant Pages
|
|
