Forum Discussion
Question on configuring SAM-R to enable lateral movement path detection
Hey Defender Peeps, Referring to this KB from MS -Configure SAM-R to enable lateral movement path detection - Microsoft Defender for Identity | Microsoft Learn Seeking some advice on "configurin...
By default, the SAM can be accessed remotely via SAMR by any authenticated user. So, to be honest, I don't see why you need to set it in the first place. Since you need to set a Directory Service Account, it is always authenticated and should use the SAM-R protocol anyway.
And the "Access this computer from the network setting" is not needed if you didn't set it:
"The setting is not enabled by default. If you have not enabled it previously, you don't need to modify it to allow Defender for Identity to make remote calls to SAM."
I can confirm at the program team and come back on this one.
And the "Access this computer from the network setting" is not needed if you didn't set it:
"The setting is not enabled by default. If you have not enabled it previously, you don't need to modify it to allow Defender for Identity to make remote calls to SAM."
I can confirm at the program team and come back on this one.
Ok, since Windows 10 1607+ and Windows Server 2016+ it changed. SAMR is now restricted to the built-in administrators group. So, if you want to see the "lateral movement paths" in Microsoft 365, you need to configure the Directory Service Account to access the SAM remotely using RPC on every server. It doesn't apply to DC's as every authenticated user can still access the SAM remotely due to compatibility.
"The default security descriptor on computers beginning with Windows 10 version 1607 and Windows Server 2016 allows only the local (built-in) Administrators group remote access to SAM on non-domain controllers, and allows Everyone access on domain controllers"
Source; https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls
I guess that changing the policy where the security descriptor "Administrators" is already added and adding the Directory Service Account isn't impacted at all on Windows 10 1607+ and Windows Server 2016+. it does affect older version of Windows though, but then you can use auditing described in the following link:
https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls#policy-management
Monitor for a few weeks, check if any audits are saved and make the decision if it impacts the server for pre-Windows 10 1607 and Windows Server 2016.
Hope this helps!
"The default security descriptor on computers beginning with Windows 10 version 1607 and Windows Server 2016 allows only the local (built-in) Administrators group remote access to SAM on non-domain controllers, and allows Everyone access on domain controllers"
Source; https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls
I guess that changing the policy where the security descriptor "Administrators" is already added and adding the Directory Service Account isn't impacted at all on Windows 10 1607+ and Windows Server 2016+. it does affect older version of Windows though, but then you can use auditing described in the following link:
https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls#policy-management
Monitor for a few weeks, check if any audits are saved and make the decision if it impacts the server for pre-Windows 10 1607 and Windows Server 2016.
Hope this helps!
