Microsoft has released a PowerShell script called Net Cease that will harden machines against reconnaissance which is a key stage within the Advanced Attackers kill chain. According to details of the release on Microsoft TechNet, “once attackers have breached a single end-point, they need to discover their next targets within the victim’s corporate network, most notably privileged users.” Typically administrators will target Domain Controllers (DCs) to run the script.
“The NetCease script hardens the access to the NetSessionEnum method by removing the execute permission for Authenticated Users group and adding permissions for interactive, service and batch logon sessions. This will allow any administrator, system operator and power user to remotely call this method, and any interactive/service/batch logon session to call it locally.”
By default, NetSessionEnum method can be executed by any authenticated user, including network connected users, which effectively means that any domain user is able to execute it remotely.