Restrict clients allowed to make remote calls to SAM

 

The “Network access: Restrict clients allowed to make remote calls to SAM” security policy setting manages which users are permitted to view the list of users and groups stored in both the local Security Accounts Manager (SAM) database and Active Directory through remote calls.

 

This policy setting allows you to restrict remote RPC connections to SAM. If not selected, the default security descriptor will be used.

 

Depending on configuration, users may be unable to run certain apps requiring remote access to the SAM.

 

What is a Sam R call?

 

SAMR is a Remote Procedure Call (RPC) protocol built on top of the SMB protocol, facilitating communication between client and server systems. This protocol is employed for the administration of user accounts, group accounts, and security policy data on remote systems. Windows domain controllers mainly utilize SAMR to synchronize and administer user account.

 

SAMR and SAMRPC refer to the same thing:

  • SAMR stands for Security Account Manager Remote Protocol
  • SAMRPC stands for Security Account Manager Remote Procedure Call

 

They both represent the protocol used for remote administration of user accounts, group accounts, and security policy information in Windows systems. The terms are often used interchangeably to describe the same underlying protocol.

 

Windows SAM & AD SAM Security – Essential Guide 2023

 

Vulnerability

 

The SAMRPC protocol makes it possible for a low privileged user to query a machine on a network for data. A user can employ SAMRPC to list users, including privileged accounts like local or domain administrators, or to list groups and their memberships from both the local SAM and Active Directory. This data can offer crucial insights and act as a launchpad for an attacker aiming to breach a domain or network environment.

 

Mitigating SAMRPC protocol

 

To mitigate the risk, set up the “Network access Restrict clients allowed to make remote calls to SAM” security policy. This configuration ensures that the security accounts manager (SAM) performs an access check for remote calls. This check determines whether to permit or deny remote RPC connections to SAM and Active Directory based on the users and groups you specify.

 

Configure Network access Restrict clients allowed to make remote calls to SAM

 

The Windows Security Account Manager (SAM) stores users’ passwords. Restricting remote rpc connections to the SAM to Administrators helps protect those credentials.

 

Configure this policy based on the security requirements for your organization.

 

To configure the setting:

 

Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \SYSTEM\CurrentControlSet\Control\Lsa\
Value Name: RestrictRemoteSAM
Value Type: REG_SZ
Value: O:BAG:BAD:(A;;RC;;;BA)

 

  • Navigate to the policy Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> “Network access: Restrict clients allowed to make remote calls to SAM”.

 

  • Select “Edit Security” to configure the “Security descriptor:”.
  • Add “Administrators” in “Group or user names:” if it is not already listed (this is the default).

 

  • Select “Administrators” in “Group or user names:”.

 

  • Select “Allow” for “Remote Access” in “Permissions for “Administrators”.

 

  • Click “OK”.

 

  • The “Security descriptor:” must be populated with “O:BAG:BAD:(A;;RC;;;BA) for the policy to be enforced.

 

By default, the Network access: Restrict clients allowed to make remote calls to SAM security policy setting isn’t defined. If you define it, you can edit the default Security Descriptor Definition Language (SDDL) string to explicitly allow or deny users and groups to make remote calls to the SAM. If the policy setting is left blank after the policy is defined, the policy isn’t enforced.

 

Network access: Do not allow anonymous enumeration of SAM accounts

Group Policy Configuration of Network access Restrict clients allowed to make remote calls to SAM

 

To establish the recommended configuration via GP, set the following UI path to Administrators: Remote Access: Allow:

 

Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Network access: Restrict clients allowed to make remote calls to SAM

 

Configuration Hardening Automation

 

The SAM database contains highly sensitive account information like passwords hashes, account settings, etc. Restricting remote access to admins only limits the risk of this data being exposed or misused by unauthorized users. Automating this ensures the setting is consistently applied.

 

Automation primarily increases security, compliance, convenience, reliability and scalability for restricting SAM access. IT teams benefit by having hardened servers they can trust while avoiding tedious manual work.

 

server hardening

You might be interested