How do you disable this properly on windows 2008r2 domain controllers?
The microsoft link qualys suggests take you to settings they say has no impact on domain controllers.
I imagine this would take out 45003 also.
There are 6 GPO policies that you'll want to look at:
- Network access: Allow anonymous SID/Name translation (disable)
- Network access: Do not allow anonymous enumeration of SAM accounts (enable)
- Network access: Do not allow anonymous enumeration of SAM accounts and shares (enable)
- Network access: Let Everyone permissions apply to anonymous users (disable)
- Network access: Named Pipes that can be accessed anonymously (none)
- Network access: Shares that can be accessed anonymously (none)
I've tested this on my lab system with positive results.
Retrieving data ...