如何禁用DC的空会话枚举?

我是一个公司的系统pipe理员,我们刚刚在内部networking上进行了渗透testing,团队发现可以使用以下命令执行查询\列举我们的DC(Server 2012)信息:

Global.exe – shows a list of users in a DA group (such as "Domain Administrators" and "Enterprise Admins" Getpolicy.exe – shows the password policy of the domain. Local.exe – FAILED – shows the local administrators on any individual machine. 

他们的build议是:

 Enable the "Restrict Anonymous" registry key setting on all Windows domain controllers and any other sensitive NT/2000 servers or workstations. In order to configure the "Restrict Anonymous" setting: ·Open Regedt32.exe (Start > run > type 'regedt32' and click OK) ·Locate the following key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA ·Double Click the DWORD Value Name: 'RestrictAnonymous' ·Enter the appropriate setting according to your environment. For Windows 2003 and later, edit the network security settings in the group policy editor. · Network Access: Do not allow anonymous enumeration of SAM accounts and shares · Network Access: Do not allow anonymous enumeration of SAM accounts Disable the following settings: · Network Access: Anonymous access to Named Pipes and Shares · Network Access: Allow anonymous SID/Name translation 

但是,如果我没有弄错,我们已经将所有这些build议放在当前的Live GPO Setup中:

 Computer configuration\Policies\Windows settings\Security Settings\Local Policies\SecurityOptions - Enabled Network access: Restrict Anonymous access to Named Pipes and Shares Network access: Do not allow anonymous enumeration of SAM accounts Network access: Do not allow anonymous enumeration of SAM accounts and shares Network access: Shares that can be accessed anonymously = nullsessionpipe - Disabled Network access: Let Everyone permissions apply to anonymous users – Already set up on GPO Network access: Allow anonymous SID/Name translation – Already set up on GPO Additional mitigation we have: Use GPO to update register with the following HKEY\SYSTEM\CurrentControlSet\Control\Lsa: RestrictAnonymous = 1 Restrict AnonymousSAM = 1 EveryoneIncludesAnonymous = 0 

他们声称,因为我们的全局设置是正确的,并且其中一个枚举\查询不起作用(local.exe),我们可能会有不同的设置覆盖这些设置,并且无法攻击者运行Getpolicy.exe和Global 。可执行程序。 什么可能导致这个? 哪里可以find解决这个问题? 如果它可能完全禁止/禁用空会话也是可以接受的,但是我想知道如何保持它,并阻止它做到上述。 谢谢!