When our fpolicy server resides on a Windows 2008 R2 server machine, we would see netapp dropping connection to our server as soon as it decides to send events. Although our fpolicy server detects the dropped connection and connects back, this problem does not go away. Our filer is and windows server running the fpolicy server are configured to use smb v1 and smb signing is turned off.
A few searches on the Internet revealed that this problem has been solved by Changing the Local Security Policy Settings on the fpolicy Server Machine because Netapp's fpolicy layer makes anonymous access to the pipe on the Windows machine running the fpolicy server.
The settings are the following:
- Network access: Do not allow anonymous enumeration of SAM accounts - change it to Disabled. (default is Enabled)
- Network access: Let Everyone permissions apply to Anonymous users - change it to Enabled. (default is Disabled)
- Network access: Restrict anonymous access to Named Pipes and Shares - change it to Disabled. (default is Enabled)
- Open Network access: Named Pipes that can be accessed anonymously and check if NTAPFPRQ exists. Otherwise, add it.
The trend micro link above talks about #1 to #4 above and the symantec links point to #2 and #4 only.
When the above settings are changed, the problem goes away. Now, questions are being asked about these settings and their security implications, specially #1 above. I would like to know if it is recommended that all four of these settings are to be used. If not, which settings should be changed.