none
Server 2008r2 - Default DC Policy - Network access: Named Pipes that can be accessed anonymously (Netlogon, samr, lsarpc removal)

    Question

  • Hello,

    I wonder if anyone can help me answer a specific 2008r2 and later question to do with the 'Security Option' - "Network access: Named Pipes that can be accessed anonymously". I can find a lot of information on 2003 and NT4 on the internet about these settings, but not so much on later OS's.

    By default there are now no named pipes listed for normal 2008r2 servers in this setting. However the Default Domain Controller policy for 2008r2 does still list 3 pipes my default - Netlogon, samr, lsarpc - see link below:

    https://technet.microsoft.com/en-us/library/jj852278%28v=ws.11%29.aspx

    My customer would like me to remove these 3 exclusions (Netlogon, samr, lsarpc) from the Default Domain Controller policy to pass a security test on the DCs. However I want know know what the implications for doing so on the 2008r2 DCs will be. I know samr has previously been used for adding computers to domains and netlogon itself may need some level of anonymous access to the DCs to function. Our domains are all 2008r2 os and 2008r2 fl, so am i OK to remove these settings if no legacy domains exist?

    There must be a reason why MS has permitted these exceptions by default on the Default Domain Controllers policy for 2008r2. Does anyone know why this is (or has any a link to any documentation containing these reasons)?

    Any help appreciated,

    Regards,

    Pete




    • Edited by PeteMitch99 Wednesday, May 18, 2016 12:11 AM
    Wednesday, May 18, 2016 12:07 AM

Answers

  • Hi Pete,

    I know samr has previously been used for adding computers to domains and netlogon itself may need some level of anonymous access to the DCs to function. Our domains are all 2008r2 os and 2008r2 fl, so am i OK to remove these settings if no legacy domains exist?

    >>>I think it is ok to remove the Netlogon, samr, lsarpc from default domain controller policy.

    It is a behavior that promote the security of your AD environment.

    The implication of removing these protocol, in my opinion, is it may cause SID translation failure from trusted domain.

    For more information, you could refer to the article below.

    Troubleshooting SID translation failures from the obvious to the not so obvious

    https://blogs.technet.microsoft.com/askds/2011/07/28/troubleshooting-sid-translation-failures-from-the-obvious-to-the-not-so-obvious/

    In addition, the setting has been set None in Windows Server 2012 R2.

    Best Regards,

    Jay


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, May 18, 2016 5:43 AM
    Moderator