Skip to main content

Disable unauthorized user account discovery (anonymous SAM enumeration)

Overview

About this script

This script improves your privacy on Windows.

These changes use Windows system commands to update your settings.

This script increases your system's security by preventing unauthorized users from seeing account names in the Security Accounts Manager (SAM) 1 2 3 4 5 6. The Security Accounts Manager (SAM) is a database in Windows that stores user account information and is critical for user authentication processes. When account names are exposed, attackers might use them for guessing passwords or tricking people into revealing sensitive information 4 6 7 8. This is a security action recommended by organizations like the Department of Defense 1, NASA 2, IRS 8, NIST 6, CIS 4, and Microsoft 3.

The change is enacted through the HKLM\SYSTEM\CurrentControlSet\Control\Lsa!restrictanonymoussam registry value 1 2 4 5. By default, it's enabled 4 and Windows restricts this setting if the registry value does not exist 3.

While the script protects against these threats, it may also affect compatibility with older systems. It prevents trust with Windows NT 4.0 domains 4 5 7 9 and causes issues for older systems such as Windows NT 3.51 and Windows 95 when accessing server resources 4 5 7. Typically, anonymous connections are requested by earlier versions of clients (down-level clients) during SMB session setup 7.

The script has no impact on domain controllers since their behavior in this aspect is controlled by different settings 5 7. The policy setting does not require a restart to become effective 5, and there is no impact on current systems where the default behavior already includes this restriction 4.

Despite the potential interoperability issues with older systems, the script maintains a security posture that is important in modern networks to minimize unauthorized access and protect user privacy.

Caution

This may lead to reduced functionality or connectivity issues, particularly in enterprise environments where remote administration is necessary.

This script uses Batch (batchfile) scripting language.

Safe for General Use

This script is recommended for all users. It helps to improve privacy without affecting stability.

Implementation Details
  • Language: batch

  • Required Privileges: Administrator rights

  • Compatibility: Windows only

  • Reversibility: Can be undone using provided revert script

Explore Categories

This action belongs to Disable insecure remote administration access category. This category improves security by disabling insecure remote administration features. Organizations use remote administration tools to manage multiple systems from a central location, performing tasks such as software updates, system checks, and configuration changes. However, if not properly... Read more on category page ▶

Apply now

Choose one of three ways to apply:

  1. Automatically via privacy.sexy: The easiest and safest option.
  2. Manually by downloading: Requires downloading a file.
  3. Manually by copying: Advanced flexibility.

Alternative 1. Apply with Privacy.sexy

privacy.sexy is free and open-source application that lets securely apply this action easily.

Open privacy.sexy

You can fully restore this action (revert back to the original behavior) using the application.

privacy.sexy instructions
  1. Open or download the desktop application
  2. Search for the script name: Disable unauthorized user account discovery (anonymous SAM enumeration).
  3. Check the script by clicking on the checkbox.
  4. Click on Run button at the bottom of the page.

Alternative 2. Download

Irreversible Changes

This script is irreversible, meaning there is no straightforward method to restore changes once applied. Exercise caution before running, restoring it may not be possible.

  1. Download the script file by clicking on the button below:

    Download script

  2. Run the script file by clicking on it.

Download revert script

This file restores your system to its original state, before this script is applied.

Download restore script

Alternative 3. Copy

This is for advanced users. Consider automatically applying or downloading the script for simpler way.

  1. Open Command Prompt as administrator.
HELP: Step-by-step guide
  1. Click on Start menu

  2. Type cmd

  3. Right click on Command Prompt select Run as administrator

  4. Click on Yes to run Command Prompt


Animation showing how to open terminal as administrator on Windows 11

  1. Copy the following code:
Code to apply changes
:: Set the registry value: "HKLM\SYSTEM\CurrentControlSet\Control\Lsa!restrictanonymoussam"
PowerShell -ExecutionPolicy Unrestricted -Command "$registryPath = 'HKLM\SYSTEM\CurrentControlSet\Control\Lsa'; $data = '1'; reg add 'HKLM\SYSTEM\CurrentControlSet\Control\Lsa' /v 'restrictanonymoussam' /t 'REG_DWORD' /d "^""$data"^"" /f"
  1. Right click on command prompt to paste it.
  2. Press Enter to apply remaining code.

Copy restore code

Copy and run the following code to restore changes:

Revert code
:: Set the registry value "HKLM\SYSTEM\CurrentControlSet\Control\Lsa!restrictanonymoussam"
PowerShell -ExecutionPolicy Unrestricted -Command "$revertData = '1'; reg add 'HKLM\SYSTEM\CurrentControlSet\Control\Lsa' /v 'restrictanonymoussam' /t 'REG_DWORD' /d "^""$revertData"^"" /f"

Support

This website relies on your support.

Support now

Your donation helps keep the project alive and improves its content ❤️.

Share this page: