2.3.10.13 (L1) Ensure 'Network access: Restrict clients allowed to make remote calls to SAM' is set to 'Administrators: Remote Access: Allow' (MS only)

Information

This policy setting allows you to restrict remote RPC connections to SAM.

The recommended state for this setting is: Administrators: Remote Access: Allow

Note: A Windows 10 R1607, Server 2016 or newer OS is required to access and set this value in Group Policy.

Note #2: This setting was originally only supported on Windows Server 2016 and newer, then support for it was added to Windows Server 2008 R2 and newer via the March 2017 security patches.

Note #3: If your organization is using Azure Advanced Threat Protection (APT), the service account, 'AATP Service' will need to be added to the recommendation configuration. For more information on adding the 'AATP Service' account please see

Configure SAM-R to enable lateral movement path detection in Microsoft Defender for Identity | Microsoft Docs

.

To ensure that an unauthorized user cannot anonymously list local account names or groups and use the information to attempt to guess passwords or perform social engineering attacks. (Social engineering attacks try to deceive users in some way to obtain passwords or some form of security information.)

Solution

To establish the recommended configuration via GP, set the following UI path to Administrators: Remote Access: Allow :

Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Network access: Restrict clients allowed to make remote calls to SAM

Impact:

None - this is the default behavior.

See Also

https://workbench.cisecurity.org/benchmarks/15105