Information
This policy setting allows you to restrict remote RPC connections to SAM.
The recommended state for this setting is: Administrators: Remote Access: Allow
Note: A Windows 10 R1607, Server 2016 or newer OS is required to access and set this value in Group Policy.
Note #2: This setting was originally only supported on Windows 10 R1607 or newer, then support for it was added to Windows 7 or newer via the March 2017 security patches.
Note #3: If your organization is using Microsoft Defender for Identity (formerly Azure Advanced Threat Protection (Azure ATP)), the (organization-named) Defender for Identity Directory Service Account (DSA), will also need to be granted the same Remote Access: Allow permission. For more information on adding the service account please see
Configure SAM-R to enable lateral movement path detection in Microsoft Defender for Identity | Microsoft Docs
.
To ensure that an unauthorized user cannot anonymously list local account names or groups and use the information to attempt to guess passwords or perform social engineering attacks. (Social engineering attacks try to deceive users in some way to obtain passwords or some form of security information.)
Solution
To establish the recommended configuration via GP, set the following UI path to Administrators: Remote Access: Allow :
Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Network access: Restrict clients allowed to make remote calls to SAM
Impact:
None - this is the default behavior.