{
	"id": "6afabbaa-df78-4f4d-9f5a-19eec85ade8c",
	"created_at": "2026-04-06T00:09:17.013564Z",
	"updated_at": "2026-04-10T03:20:24.636779Z",
	"deleted_at": null,
	"sha1_hash": "c76e911e796dfd53f07baecf3774ee20b4df66e0",
	"title": "Network access Do not allow anonymous enumeration - Windows 10",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 40220,
	"plain_text": "Network access Do not allow anonymous enumeration - Windows\r\n10\r\nBy vinaypamnani-msft\r\nArchived: 2026-04-05 16:25:34 UTC\r\nApplies to\r\nWindows 10\r\nDescribes the best practices, location, values, and security considerations for the Network access: Do not allow\r\nanonymous enumeration of SAM accounts and shares security policy setting.\r\nReference\r\nThis policy setting determines which other permissions will be assigned for anonymous connections to the device.\r\nWindows allows anonymous users to perform certain activities, such as enumerating the names of domain\r\naccounts and network shares. This permission is convenient, for example, when an administrator wants to give\r\naccess to users in a trusted domain that doesn't maintain a reciprocal trust. However, even with this policy setting\r\nenabled, anonymous users will have access to resources with permissions that explicitly include the built-in group,\r\nANONYMOUS LOGON.\r\nThis policy setting has no impact on domain controllers. Misuse of this policy setting is a common error that can\r\ncause data loss or problems with data access or security.\r\nPossible values\r\nEnabled\r\nDisabled\r\nNo other permissions can be assigned by the administrator for anonymous connections to the device.\r\nAnonymous connections will rely on default permissions. However, an unauthorized user could\r\nanonymously list account names and use the information to attempt to guess passwords or perform social-engineering attacks.\r\nNot defined\r\nLocation\r\nComputer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options\r\nhttps://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts-and-shares\r\nPage 1 of 3\n\nDefault values\r\nThe following table lists the actual and effective default values for this policy. Default values are also listed on the\r\npolicy’s property page.\r\nServer type or GPO Default value\r\nDefault Domain Policy Not defined\r\nDefault Domain Controller Policy Not defined\r\nStand-Alone Server Default Settings Disabled\r\nDC Effective Default Settings Disabled\r\nMember Server Effective Default Settings Disabled\r\nClient Computer Effective Default Settings Disabled\r\nPolicy management\r\nThis section describes features and tools that are available to help you manage this policy.\r\nRestart requirement\r\nNone. Changes to this policy become effective without a device restart when they're saved locally or distributed\r\nthrough Group Policy.\r\nPolicy conflicts\r\nEven with this policy setting enabled, anonymous users will have access to resources with permissions that\r\nexplicitly include the built-in group, ANONYMOUS LOGON (on systems earlier than Windows Server 2008 and\r\nWindows Vista).\r\nGroup Policy\r\nThis policy has no impact on domain controllers.\r\nSecurity considerations\r\nThis section describes how an attacker might exploit a feature or its configuration, how to implement the\r\ncountermeasure, and the possible negative consequences of countermeasure implementation.\r\nVulnerability\r\nAn unauthorized user could anonymously list account names and shared resources and use the information to\r\nattempt to guess passwords or perform social-engineering attacks.\r\nhttps://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts-and-shares\r\nPage 2 of 3\n\nCountermeasure\r\nEnable the Network access: Do not allow anonymous enumeration of SAM accounts and shares setting.\r\nPotential impact\r\nIt's impossible to grant access to users of another domain across a one-way trust because administrators in the\r\ntrusting domain are unable to enumerate lists of accounts in the other domain. Users who access file and print\r\nservers anonymously are unable to list the shared network resources on those servers; the users must be\r\nauthenticated before they can view the lists of shared folders and printers.\r\nSecurity Options\r\nSource: https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-access-do-not-allow-anonymous\r\n-enumeration-of-sam-accounts-and-shares\r\nhttps://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts-and-shares\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts-and-shares"
	],
	"report_names": [
		"network-access-do-not-allow-anonymous-enumeration-of-sam-accounts-and-shares"
	],
	"threat_actors": [],
	"ts_created_at": 1775434157,
	"ts_updated_at": 1775791224,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/c76e911e796dfd53f07baecf3774ee20b4df66e0.pdf",
		"text": "https://archive.orkl.eu/c76e911e796dfd53f07baecf3774ee20b4df66e0.txt",
		"img": "https://archive.orkl.eu/c76e911e796dfd53f07baecf3774ee20b4df66e0.jpg"
	}
}