Hello,
I wonder if anyone can help me answer a specific 2008r2 and later question to do with the 'Security Option' - "Network access: Named Pipes that can be accessed anonymously". I can find a lot of information on 2003 and NT4 on the internet about
these settings, but not so much on later OS's.
By default there are now no named pipes listed for normal 2008r2 servers in this setting. However the Default Domain Controller policy for 2008r2 does still list 3 pipes my default - Netlogon, samr, lsarpc - see link below:
https://technet.microsoft.com/en-us/library/jj852278%28v=ws.11%29.aspx
My customer would like me to remove these 3 exclusions (Netlogon, samr, lsarpc) from the Default Domain Controller policy to pass a security test on the DCs. However I want know know what the implications for doing so on the 2008r2 DCs will be. I know samr
has previously been used for adding computers to domains and netlogon itself may need some level of anonymous access to the DCs to function. Our domains are all 2008r2 os and 2008r2 fl, so am i OK to remove these settings if no legacy domains exist?
There must be a reason why MS has permitted these exceptions by default on the Default Domain Controllers policy for 2008r2. Does anyone know why this is (or has any a link to any documentation containing these reasons)?
Any help appreciated,
Regards,
Pete