With a largely default and up to date UCS installation acting as a domain controller, it is possible to anonymously retrieve a list of users via the “SAMR” named pipe, using a tool such as samrdump.py which comes with impacket (https://github.com/SecureAuthCorp/impacket)
$ samrdump.py dc01.test.local
Impacket v0.9.17 - Copyright 2002-2018 Core Security Technologies[] Retrieving endpoint list from dc01.test.local
Found domain(s):
. TEST
. BUILTIN
[] Looking up users in domain TEST
Found user: Administrator, uid = 500
Found user: Guest, uid = 501
Found user: krbtgt, uid = 502
Found user: join-backup, uid = 1108
Found user: join-slave, uid = 1109
Found user: ucs-sso, uid = 1110
(truncated)
A list of valid users is a significant security risk, as it makes other attacks (brute forcing of accounts, denial of service against the account lockout function etc) much easier.
Is there some way to prevent this function from being used, perhaps blocking all null smb sessions?