STIGQter STIGQter: STIG Summary: Windows Server 2008 R2 Domain Controller Security Technical Implementation Guide Version: 1 Release: 31 Benchmark Date: 26 Jul 2019: Named pipes that can be accessed anonymously must be configured with limited values on domain controllers.

DISA Rule

SV-46295r1_rule

Vulnerability Number

V-3338

Group Title

Anonymous Access to Named Pipes

Rule Version

3.063-DC

Severity

CAT I

CCI(s)

Weight

10

Fix Recommendation

Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "Network access: Named pipes that can be accessed anonymously" to only include "netlogon, samr, lsarpc".

Check Contents

Analyze the system using the Security Configuration and Analysis snap-in.
Expand the Security Configuration and Analysis tree view.
Navigate to Local Policies -> Security Options.

If the value for "Network access: Named pipes that can be accessed anonymously" contains entries other than "netlogon"," samr", and "lsarpc", this is a finding.

The default configuration of systems promoted to domain controllers may include a blank entry in the first line prior to "netlogon", "samr", and "lsarpc". This will appear in the registry as a blank entry when viewing the registry key summary; however the value data for "NullSessionPipes" will contain the default entries.

The policy referenced configures the following registry value:

Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \System\CurrentControlSet\Services\LanManServer\Parameters\

Value Name: NullSessionPipes

Value Type: REG_MULTI_SZ
Value: netlogon, samr, lsarpc


Legitimate applications may add entries to this registry value. If an application requires these entries to function properly and is documented with the IAO, this would not be a finding. Documentation must contain supporting information from the vendor's instructions.

Vulnerability Number

V-3338

Documentable

False

Rule Version

3.063-DC

Severity Override Guidance

Analyze the system using the Security Configuration and Analysis snap-in.
Expand the Security Configuration and Analysis tree view.
Navigate to Local Policies -> Security Options.

If the value for "Network access: Named pipes that can be accessed anonymously" contains entries other than "netlogon"," samr", and "lsarpc", this is a finding.

The default configuration of systems promoted to domain controllers may include a blank entry in the first line prior to "netlogon", "samr", and "lsarpc". This will appear in the registry as a blank entry when viewing the registry key summary; however the value data for "NullSessionPipes" will contain the default entries.

The policy referenced configures the following registry value:

Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \System\CurrentControlSet\Services\LanManServer\Parameters\

Value Name: NullSessionPipes

Value Type: REG_MULTI_SZ
Value: netlogon, samr, lsarpc


Legitimate applications may add entries to this registry value. If an application requires these entries to function properly and is documented with the IAO, this would not be a finding. Documentation must contain supporting information from the vendor's instructions.

Check Content Reference

M

Responsibility

System Administrator

Target Key

1823

Comments