Anonymous SID/Name translation will not be allowed.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-3337	3.062	SV-32316r1_rule		High

Description
This is a Category 1 finding because this setting controls the ability of users or process that have authenticated as anonymous users to perform SID/Name translation. This setting should be disabled, as only authorized users should be able to perform such translations.

STIG	Date
Windows Server 2008 R2 Member Server Security Technical Implementation Guide	2016-06-08

Details

Check Text ( C-32888r1_chk )
Analyze the system using the Security Configuration and Analysis snap-in. Expand the Security Configuration and Analysis tree view. Navigate to Local Policies -> Security Options. If the value for “Network access: Allow anonymous SID/Name translation” is not set to “Disabled”, then this is a finding. Documentable Explanation: The default setting for domain controllers is Enabled. Disabling it means that legacy systems may be unable to communicate with Windows Server 2003/2008 – based domains. This requirement should be documented with the IAO.

Check Text ( C-32888r1_chk )

Analyze the system using the Security Configuration and Analysis snap-in.
Expand the Security Configuration and Analysis tree view. Navigate to Local Policies -> Security Options.

If the value for “Network access: Allow anonymous SID/Name translation” is not set to “Disabled”, then this is a finding.

Documentable Explanation: The default setting for domain controllers is Enabled. Disabling it means that legacy systems may be unable to communicate with Windows Server 2003/2008 – based domains. This requirement should be documented with the IAO.

Fix Text (F-28818r1_fix)
Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> “Network access: Allow anonymous SID/Name translation” to “Disabled”.