2.3.10.10 Ensure 'Network access: Restrict clients allowed to make remote calls to SAM' is set to 'Administrators: Remote Access: Allow' (MS only) - Administrators: Remote Access: Allow

Information

This policy setting allows you to restrict remote RPC connections to SAM.

The recommended state for this setting is: Administrators: Remote Access: Allow.

Note: A Windows 10 R1607, Server 2016 or newer OS is required to access and set this value in Group Policy.

Note #2: If your organization is using Azure Advanced Threat Protection (APT), the service account, 'AATP Service' will need to be added to the recommendation configuration. For more information on adding the 'AATP Service' account please see Configure SAM-R to enable lateral movement path detection in Microsoft Defender for Identity | Microsoft Docs.

Rationale:

To ensure that an unauthorized user cannot anonymously list local account names or groups and use the information to attempt to guess passwords or perform social engineering attacks. (Social engineering attacks try to deceive users in some way to obtain passwords or some form of security information.)

Impact:

None - this is the default behavior.

Solution

To establish the recommended configuration via GP, set the following UI path to Administrators: Remote Access: Allow:

Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Network access: Restrict clients allowed to make remote calls to SAM

Default Value:

Administrators: Remote Access: Allow.

See Also

https://workbench.cisecurity.org/files/4286