SID Enumeration engellemesi

[yigitsen]

Selamlar,

DC'nin ipsini yazarak başka bir bilgisayar SID(USER ID) leri gorebiliyor , bunu nasıl engelliyeceğim hakkında bilgi sahibi olan varmı acaba ?
teşekkürler

[emreaydin]

Merhaba,

Click Start, Administrative Tools, Local Security Policy (you can also enter secpol.msc at a command prompt or using Start, Run).
Click on the + next to Local Policies
Click on Security Options
On Windows 2000 systems double-click Additional restrictions for anonymous connections in the details pane and select Do not allow enumeration of SAM accounts and shares from the Local policy setting drop-down list.
On Windows Server 2003 and Windows XP systems select Network access: Allow anonymous SID/Name translation in the details pane and make sure the policy is disabled.
Click OK and close the console.
You can also apply the policy across a domain instead of on one individual computer by following these steps:

Open the Active Directory Users and Computers console screen.
Right-click the domain and select Properties.
Click the Group Policy tab.
Click the Default Domain Policy, and select Edit.
Drill down through the console pane to Computer Configuration, Windows Settings, Security Settings, Local Policies, Security Options.
On a Windows 2000 domain, double-click Additional restrictions for anonymous connections. Click the Define this policy option. On the drop-down list, select Do not allow enumeration of SAM accounts and shares.
On a Windows Server 2003 domain, double-click Network access: Allow anonymous SID/Name translation and make sure the policy is disabled.
Click OK and close the console.

Referans:

http://www.windowsnetworking.com/kba...ionofSIDs.html

Emre AYDIN