Disable unauthorized user account discovery (anonymous SAM enumeration)
- Windows onlyThis script improves your privacy on Windows
- Single actionThis page belongs to a script, containing basic changes to achieve a task.
- Impact: Minimum
System Functionality / Data Loss Risk: Low
This action improves privacy with minimal impact when you run the recommended script.
- Batch (batchfile)These changes use Windows system commands to update your settings.
- Administrator rights requiredThis script requires privilege access to do the system changes
- Fully reversible
You can fully restore this action (revert back to the original behavior) using this website.
The restore/revert methods provided here can help you fix issues.
Overview
This script increases your system's security by preventing unauthorized users from seeing account names in the Security Accounts Manager (SAM) 1 2 3 4 5 6. The Security Accounts Manager (SAM) is a database in Windows that stores user account information and is critical for user authentication processes. When account names are exposed, attackers might use them for guessing passwords or tricking people into revealing sensitive information 4 6 7 8. This is a security action recommended by organizations like the Department of Defense 1, NASA 2, IRS 8, NIST 6, CIS 4, and Microsoft 3.
The change is enacted through the HKLM\SYSTEM\CurrentControlSet\Control\Lsa!restrictanonymoussam
registry
value 1 2 4 5. By default, it's enabled 4 and Windows restricts this setting if the registry value does
not exist 3.
While the script protects against these threats, it may also affect compatibility with older systems. It prevents trust with Windows NT 4.0 domains 4 5 7 9 and causes issues for older systems such as Windows NT 3.51 and Windows 95 when accessing server resources 4 5 7. Typically, anonymous connections are requested by earlier versions of clients (down-level clients) during SMB session setup 7.
The script has no impact on domain controllers since their behavior in this aspect is controlled by different settings 5 7. The policy setting does not require a restart to become effective 5, and there is no impact on current systems where the default behavior already includes this restriction 4.
Despite the potential interoperability issues with older systems, the script maintains a security posture that is important in modern networks to minimize unauthorized access and protect user privacy.
This may lead to reduced functionality or connectivity issues, particularly in enterprise environments where remote administration is necessary.
Sources
- Anonymous enumeration of SAM accounts must not be allowed.. www.stigviewer.com. (2023).
Original: https://www.stigviewer.com/stig/windows_10/2019-01-04/finding/V-63745
Archived: https://web.archive.org/web/20231105200434/https://www.stigviewer.com/stig/windows_10/2019-01-04/finding/V-63745 - CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark. nasa.gov. (2023).
Original: https://asapdata.arc.nasa.gov/share/Paul/CIS_Microsoft_Windows_Server_2016_RTM_Release_1607_Benchmark_v1.1.0.pdf
Archived: https://web.archive.org/web/20231105200713/https://asapdata.arc.nasa.gov/share/Paul/CIS_Microsoft_Windows_Server_2016_RTM_Release_1607_Benchmark_v1.1.0.pdf - Reference - Azure Policy guest configuration baseline for Windows - Azure Policy. Microsoft Learn. learn.microsoft.com. (2023).
Original: https://learn.microsoft.com/en-us/azure/governance/policy/samples/guest-configuration-baseline-windows
Archived: https://web.archive.org/web/20231105200918/https://learn.microsoft.com/en-us/azure/governance/policy/samples/guest-configuration-baseline-windows#security-options---network-access - CIS Microsoft Windows Server 2012 R2 Benchmark. temple.edu. (2023).
Original: https://community.mis.temple.edu/mis5170sec001sec701sp2018/files/2018/02/CIS_Microsoft_Windows_Server_2012_R2_Benchmark_v2.2.1.pdf
Archived: https://web.archive.org/web/20231105201133/https://community.mis.temple.edu/mis5170sec001sec701sp2018/files/2018/02/CIS_Microsoft_Windows_Server_2012_R2_Benchmark_v2.2.1.pdf - Network access: Do not allow anonymous enumeration of SAM accounts. Microsoft Learn. learn.microsoft.com. (2023).
Original: https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj852230%28v=ws.11%29
Archived: https://web.archive.org/web/20231105201446/https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj852230%28v=ws.11%29 - USGCB Windows Settings. nist.gov. (2023).
Original: https://csrc.nist.gov/CSRC/media/Projects/United-States-Government-Configuration-Baseline/data/documentation/USGCB-Windows-Settings.xls
Archived: https://web.archive.org/web/20230927174843/https://csrc.nist.gov/CSRC/media/Projects/United-States-Government-Configuration-Baseline/data/documentation/USGCB-Windows-Settings.xls - Client, service, and program issues can occur if you change security settings and user rights assignments - Microsoft Support. support.microsoft.com. (2023).
Original: https://support.microsoft.com/en-us/topic/client-service-and-program-issues-can-occur-if-you-change-security-settings-and-user-rights-assignments-0cb6901b-dcbf-d1a9-e9ea-f1b49a56d53a
Archived: https://web.archive.org/web/20231105201346/https://support.microsoft.com/en-us/topic/client-service-and-program-issues-can-occur-if-you-change-security-settings-and-user-rights-assignments-0cb6901b-dcbf-d1a9-e9ea-f1b49a56d53a - IRS Office of Safeguards SCSEM. irs.gov. (2023).
Original: https://www.irs.gov/pub/irs-utl/safeguards-scsem-win-server2016.xlsx
Archived: https://web.archive.org/web/20231105200853/https://www.irs.gov/pub/irs-utl/safeguards-scsem-win-server2016.xlsx - Trust between a Windows NT domain and an Active Directory domain can't be established or it doesn't work as expected - Windows Server. Microsoft Learn. learn.microsoft.com. (2023).
Original: https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/trust-between-windows-ad-domain-not-work-correctly
Archived: https://web.archive.org/web/20231105201413/https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/trust-between-windows-ad-domain-not-work-correctly
Apply Now
Choose one of three ways to apply:
Download script
Download and run the script directly- No app needed
- Offline usage
- Easy-to-apply
- Free
- Open-source
Apply with privacy.sexy
Guided, automated application with safety checks- Recommended for most users
- Includes safety checks
- Free
- Open-source
- Popular
- Offline/Online usage
- Apply
- Revert
:: Set the registry value: "HKLM\SYSTEM\CurrentControlSet\Control\Lsa!restrictanonymoussam"
PowerShell -ExecutionPolicy Unrestricted -Command "$registryPath = 'HKLM\SYSTEM\CurrentControlSet\Control\Lsa'; $data = '1'; reg add 'HKLM\SYSTEM\CurrentControlSet\Control\Lsa' /v 'restrictanonymoussam' /t 'REG_DWORD' /d "^""$data"^"" /f"
Ijo6IFNldCB0aGUgcmVnaXN0cnkgdmFsdWUgXCJIS0xNXFxTWVNURU1cXEN1cnJlbnRDb250cm9sU2V0XFxDb250cm9sXFxMc2EhcmVzdHJpY3Rhbm9ueW1vdXNzYW1cIlxuUG93ZXJTaGVsbCAtRXhlY3V0aW9uUG9saWN5IFVucmVzdHJpY3RlZCAtQ29tbWFuZCBcIiRyZXZlcnREYXRhID0gJzEnOyByZWcgYWRkICdIS0xNXFxTWVNURU1cXEN1cnJlbnRDb250cm9sU2V0XFxDb250cm9sXFxMc2EnIC92ICdyZXN0cmljdGFub255bW91c3NhbScgL3QgJ1JFR19EV09SRCcgL2QgXCJeXCJcIiRyZXZlcnREYXRhXCJeXCJcIiAvZlwiIg==
Similar Guides
Wider Goal
Guides below includes this guide to achieve a wider goal.See other more general settings that includes this one as one of its actions.
These plans combine multiple privacy settings, including this one, for stronger protection.
- Disable insecure remote administration access
- Improve network security
- Security improvements
This category improves security by disabling insecure remote administration features. Organizations use remote administration tools to manage multiple systems from...
This category is dedicated to improving network security. It aims to minimize vulnerabilities by offering various settings that improve the integrity and confident...
This category encompasses a range of scripts designed to improve the security of your system by enforcing security best practices. These scripts help protect your ...
Same Goal
Other guides in Disable insecure remote administration accessSee settings that are in the same category as this guide.
Using other actions in the same category may help you achieve your goal better.
See all 7 guides
About the Creators
These people have authored this documentation and written its scripts:
Reviewed By
This guide has undergone comprehensive auditing and peer review:Expert review by undergroundwires
- Verified technical accuracy and editorial standards
- Assessed system impact and user privacy risks
Public review by large community
- Privacy enthusiasts and professionals peer-reviewed
- Millions of end-users tested across different environments
History
We continually monitor our guides, their impact and all other privacy options. We update our guides when new information becomes available. On every update, we publicly store who made the change, what has been changed, why the change was made and when the change was made.