Uncategorized

Restrict clients allowed to make remote calls to SAM

Reading time: 4 Minutes Read
Ben Balkin
Updated on: March 22, 2026
Restrict clients allowed to make remote calls to SAM

Restrict clients allowed to make remote calls to SAM

The “Network access: Restrict clients allowed to make remote calls to SAM” security policy setting manages which users are permitted to view the list of users and groups stored in both the local Security Accounts Manager (SAM) database and Active Directory through remote calls.

This policy setting allows you to restrict remote RPC connections to SAM. If not selected, the default security descriptor will be used.

Depending on configuration, users may be unable to run certain apps requiring remote access to the SAM.

What is a Sam R call?

SAMR is a Remote Procedure Call (RPC) protocol built on top of the SMB protocol, facilitating communication between client and server systems. This protocol is employed for the administration of user accounts, group accounts, and security policy data on remote systems. Windows domain controllers mainly utilize SAMR to synchronize and administer user account.

SAMR and SAMRPC refer to the same thing:

  • SAMR stands for Security Account Manager Remote Protocol
  • SAMRPC stands for Security Account Manager Remote Procedure Call

They both represent the protocol used for remote administration of user accounts, group accounts, and security policy information in Windows systems. The terms are often used interchangeably to describe the same underlying protocol.

Vulnerability

The SAMRPC protocol makes it possible for a low privileged user to query a machine on a network for data. A user can employ SAMRPC to list users, including privileged accounts like local or domain administrators, or to list groups and their memberships from both the local SAM and Active Directory. This data can offer crucial insights and act as a launchpad for an attacker aiming to breach a domain or network environment.

Mitigating SAMRPC protocol

To mitigate the risk, set up the “Network access Restrict clients allowed to make remote calls to SAM” security policy. This configuration ensures that the security accounts manager (SAM) performs an access check for remote calls. This check determines whether to permit or deny remote RPC connections to SAM and Active Directory based on the users and groups you specify.

CIS Benchmarks explicitly require restricting remote SAM calls. See how CIS Compliance turns settings like this into enforceable, audit-ready baselines.

Configure Network access Restrict clients allowed to make remote calls to SAM

The Windows Security Account Manager (SAM) stores users’ passwords. Restricting remote rpc connections to the SAM to Administrators helps protect those credentials.

Configure this policy based on the security requirements for your organization.

To configure the setting:

Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: SYSTEMCurrentControlSetControlLsa
Value Name: RestrictRemoteSAM
Value Type: REG_SZ
Value: O:BAG:BAD:(A;;RC;;;BA)
  • Navigate to the policy Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> “Network access: Restrict clients allowed to make remote calls to SAM”.
  • Select “Edit Security” to configure the “Security descriptor:”.
  • Add “Administrators” in “Group or user names:” if it is not already listed (this is the default).
  • Select “Administrators” in “Group or user names:”.
  • Select “Allow” for “Remote Access” in “Permissions for “Administrators”.
  • Click “OK”.
  • The “Security descriptor:” must be populated with “O:BAG:BAD:(A;;RC;;;BA) for the policy to be enforced.

By default, the Network access: Restrict clients allowed to make remote calls to SAM security policy setting isn’t defined. If you define it, you can edit the default Security Descriptor Definition Language (SDDL) string to explicitly allow or deny users and groups to make remote calls to the SAM. If the policy setting is left blank after the policy is defined, the policy isn’t enforced.

Group Policy Configuration of Network access Restrict clients allowed to make remote calls to SAM

To establish the recommended configuration via GP, set the following UI path to Administrators: Remote Access: Allow:

Computer ConfigurationPoliciesWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsNetwork access: Restrict clients allowed to make remote calls to SAM

Configuration Hardening Automation

The SAM database contains highly sensitive account information like passwords hashes, account settings, etc. Restricting remote access to admins only limits the risk of this data being exposed or misused by unauthorized users. Automating this ensures the setting is consistently applied.

Automation primarily increases security, compliance, convenience, reliability and scalability for restricting SAM access. IT teams benefit by having hardened servers they can trust while avoiding tedious manual work.

Restricting SAM access is one piece of a much larger Windows hardening picture. Download the Windows Server Hardening: Step-by-Step Guide to CIS Benchmark Compliance to see how security policies like this one fit into a complete, audit-ready baseline.

Ben Balkin
Ben Balkin is a professional writer and blogger specializing in technology and innovation. As a contributor to the Calcom blog, Ben shares practical insights, useful tips, and engaging articles designed to simplify complex processes and make advanced technological solutions accessible to everyone. His writing style is clear, insightful, and inspiring, reflecting his strong belief in technology's power to enhance quality of life and empower businesses.

Related Articles

Operating System Hardening 20 Best Practices
Uncategorized

Operating System Hardening 20 Best Practices

Reading time: 6 Minutes Read
Preventing LDAP Reconnaissance- The First Step of AD Attacks
Uncategorized

Preventing LDAP Reconnaissance- The First Step of AD Attacks

Reading time: 4 Minutes Read
Why NTLMv1 will always be vulnerable to NTLM Relay attacks
Uncategorized

Why NTLMv1 will always be vulnerable to NTLM Relay attacks

Reading time: 5 Minutes Read

About Us

Established in 2001, CalCom is the leading provider of server hardening solutions that help organizations address the rapidly changing security landscape, threats, and regulations. CalCom Hardening Suite (CHS) is a security baseline hardening solution that eliminates outages, reduces operational costs, and ensures a resilient, constantly hardened, and monitored server environment.

More about us
Background Shape
About Us

Our Solutions to Strengthen Your Security Posture

CalCom Hardening Suite (CHS)
CalCom Hardening
Suite (CHS)
Secure IIS Server Hardening with CSS
Secure IIS Server
Hardening with CSS
Server Audit & Compliance Analysis Software
Server Audit & Compliance
Analysis Software

Stay Ahead with Our Newsletter

Get the latest insights, security tips, and exclusive resources straight to your inbox every month.

    Explore More Insights & Solutions

    Visit Our Resource Center
    Visit Our Resource Center

    In-depth guides, reports & webinars

    Read Our Latest Blog Posts
    Read Our Latest Blog Posts

    Stay updated with industry insights

    Ready to simplify compliance?

    See automated compliance in action—book your demo today!

    Get a Demo