Azure ATP SAM-R

%3CLINGO-SUB%20id%3D%22lingo-sub-1143001%22%20slang%3D%22en-US%22%3EAzure%20ATP%20SAM-R%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1143001%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20everyone.%3C%2FP%3E%3CP%3EContext%3A%3C%2FP%3E%3CP%3EOne%20of%20the%20AATP%20prerequisites%20is%20the%20SAM-R%20GPO.%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure-advanced-threat-protection%2Finstall-atp-step8-samr%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure-advanced-threat-protection%2Finstall-atp-step8-samr%3C%2FA%3E%3C%2FP%3E%3CP%3EThe%20link%20above%20describes%20how%20the%20gpo%20should%20be%20configured.%3C%2FP%3E%3CP%3EHowever%2C%20the%20documentation%20is%20ambiguous%20on%20multiple%20aspects.%3C%2FP%3E%3CP%3EA%20note%20posted%20on%20this%20page%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fsecurity%2Fthreat-protection%2Fsecurity-policy-settings%2Fnetwork-access-restrict-clients-allowed-to-make-remote-sam-calls%23audit-only-mode%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fsecurity%2Fthreat-protection%2Fsecurity-policy-settings%2Fnetwork-access-restrict-clients-allowed-to-make-remote-sam-calls%23audit-only-mode%3C%2FA%3E%3C%2FP%3E%3CP%3Etells%20you%20that%20if%20you%20are%20configuring%20this%20GPO%2C%20you%20might%20break%20OAB%20(if%20you%20are%20running%20Exchange%202013%2F2016%20in%20your%20environment).%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThere%20are%20some%20fixes%20proposed%3A%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fsupport.microsoft.com%2Fen-us%2Fhelp%2F4055652%2Faccess-checks-fail-because-of-authz-access-denied-error-in-windows-ser%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fsupport.microsoft.com%2Fen-us%2Fhelp%2F4055652%2Faccess-checks-fail-because-of-authz-access-denied-error-in-windows-ser%3C%2FA%3E%3C%2FP%3E%3CP%3E-%20unlink%20the%20gpo%20(that%20is%20required%20for%20AATP)%20and%20probably%20loose%20LMP%3C%2FP%3E%3CP%3E-%20configure%20the%20gpo%20to%20filter%20out%20domain%20controllers%2C%20and%20allow%20also%20exchange%20server%20groups.%3C%2FP%3E%3CP%3E-%20hardest%20one%3A%20implement%20policy%20in%20audit%20mode%2C%20identify%20the%20apps%20using%20AuthZ%20and%20then%20add%20the%20required%20accounts%20in%20the%20allowed%20list.%3C%2FP%3E%3CP%3EIf%20you%20have%20other%20applications%20using%20AuthZ%2C%20those%20might%20stop%20working...%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWith%20the%20GPO%20enabled%20I%20can%20confirm%20it%20breaks%20building%20OAB%20in%20my%20lab.%3C%2FP%3E%3CP%3EI%20can%20also%20confirm%20that%20creating%20a%20GPO%20from%20a%20w2016%20machine%2C%20and%20applying%20it%20to%20w2012%20machines%2C%20the%20settings%20are%20there%20(checked%20with%20remote%20registry%20from%20a%20W2016%20machine)%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20can%20also%20confirm%20that%20not%20implementing%20the%20GPO%2C%20I%20still%20see%20some%20lateral%20movement%20paths%20built%20(at%20lease%20in%20the%20reports)%2C%20but%20not%20for%20all%20the%20objects...%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIn%20the%20use%20case%20where%20you%20have%20windows%202012%2C%202012%20r2%2C%202016%2C%20exchange%202016%2C%20and%20windows%2010%20clients%20in%20the%20environment%2C%20what%20is%20Microsoft's%20AATP%20product%20team%20recommendation%20to%20have%20LMP%20available%20without%20breaking%20anything%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1146527%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20ATP%20SAM-R%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1146527%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F354414%22%20target%3D%22_blank%22%3E%40mcliviu%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EHi%2C%3C%2FP%3E%0A%3CP%3ELogically%2C%20solutions%20other%20the%20Azure%20ATP%20might%20require%20that%20GPO%2C%20hence%2C%20your%20LOB%20apps%20might%20break%20if%20another%20app%20enables%20it%20so%20we%20suggest%20that%20you%20identity%20and%20add%20all%20required%20accounts%20into%20that%20policy%20to%20avoid%20%22breaking%22%26nbsp%3Bthings.%20This%20does%20take%20some%20effort%20but%20the%20lateral%20movement%20paths%20feature%20is%20a%20very%20important%20feature%20for%20Azure%20ATP%20(and%20about%20to%20get%20even%20bigger%2C%20stay%20tuned!)%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EHope%20this%20helps%3C%2FP%3E%0A%3CP%3EOr.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1146973%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20ATP%20SAM-R%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1146973%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F354414%22%20target%3D%22_blank%22%3E%40mcliviu%3C%2FA%3E%26nbsp%3Bhave%20you%20ever%20looked%20at%20the%20baseline%20security%20policies%20for%20Windows%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fsecurity%2Fthreat-protection%2Fwindows-security-baselines%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fsecurity%2Fthreat-protection%2Fwindows-security-baselines%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIt%20specifies%20the%20following%20should%20be%20set%20for%20Windows%20clients%20and%20member%20servers%3C%2FP%3E%3CTABLE%3E%3CTBODY%3E%3CTR%3E%3CTD%3ENetwork%20access%3A%20Restrict%20clients%20allowed%20to%20make%20remote%20calls%20to%20SAM%3C%2FTD%3E%3CTD%3E%3CP%3EO%3ABAG%3ABAD%3A(A%3B%3BRC%3B%3B%3BBA)%3C%2FP%3E%3C%2FTD%3E%3C%2FTR%3E%3C%2FTBODY%3E%3C%2FTABLE%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDomain%20Controllers%20are%20listed%20as%20blank.%20Which%20I%20think%20is%20required%20to%20allow%20a%20DC%20to%20work%20correctly.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20thought%20by%20default%20the%20remote%20SAM%20was%20open%20to%20Anon%20access%3F%20Or%20is%20that%20when%20the%20domain%20has%20gone%20through%20upgrades%20from%20early%20versions%3F%20So%20if%20it's%20not%20open%2C%20I%20would%20have%20thought%20you%20already%20had%20a%20GPO%20in%20place%20that%20was%20locking%20it%20down%3F%20If%20you're%20locking%20it%20down%20via%20GPO%20you%20should%20be%20able%20to%20add%20the%20AATP%20account%20to%20that%20GPO.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1147385%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20ATP%20SAM-R%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1147385%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F215466%22%20target%3D%22_blank%22%3E%40Or%20Tsemah%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMy%20understanding%20is%20that%20on%20the%20older%20versions%20of%20OS%2C%20everyone%20has%20read%20only%20access.%3C%2FP%3E%3CP%3EHowever%2C%20on%20the%20newer%20versions%2C%20and%20the%20OS%20patched%20in%20the%20list%20below%2C%20this%20GPO%20is%20required%20to%20allow%20SAM-R.%3C%2FP%3E%3CP%3EWindows%2010%2C%20version%201607%20and%20later%3CBR%20%2F%3EWindows%2010%2C%20version%201511%20with%20KB%204103198%20installed%3CBR%20%2F%3EWindows%2010%2C%20version%201507%20with%20KB%204012606%20installed%3CBR%20%2F%3EWindows%208.1%20with%20KB%204102219%20installed%3CBR%20%2F%3EWindows%207%20with%20KB%204012218%20installed%3CBR%20%2F%3EWindows%20Server%202016%3CBR%20%2F%3EWindows%20Server%202012%20R2%20withKB%204012219%20installed%3CBR%20%2F%3EWindows%20Server%202012%20with%20KB%204012220%20installed%3CBR%20%2F%3EWindows%20Server%202008%20R2%20with%20KB%204012218%20installed%3C%2FP%3E%3CP%3ENow%2C%20MS%20recommends%20to%20enable%20the%20GPO%20in%20audit%20mode%20first%20to%20identify%20the%20apps%20that%20might%20require%20access%2C%20in%20order%20to%20avoid%20breaking%20things...%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20issue%20in%20my%20case%2C%20is%20that%20unlinking%20the%20GPO%2C%20still%20doesn't%20fix%20OAB%2C%20and%20I%20think%20there%20can%20be%20other%20issues%20as%20well.%3C%2FP%3E%3CP%3EI%20was%20expecting%20the%20AATP%20documentation%20to%20be%20very%20clear%20and%20specific%2C%20unfortunately%2C%20it's%20not%20the%20case...%3C%2FP%3E%3CP%3EIn%20the%20prod%20env%2C%20SAM-R%20is%20built%20for%20some%20accounts%2C%20but%20not%20for%20others%2C%20therefore%20the%20guideline%20of%20enabling%20AATP%20SAM-R%20is%20a%20bit%20inconsistent...%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1147414%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20ATP%20SAM-R%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1147414%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F354414%22%20target%3D%22_blank%22%3E%40mcliviu%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EKeep%20in%20mind%20that%20unlinking%20the%20GPO%20does%20not%20remove%20it's%20associated%20registry%20setting%20defined%20in%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fsecurity%2Fthreat-protection%2Fsecurity-policy-settings%2Fnetwork-access-restrict-clients-allowed-to-make-remote-sam-calls%23policy-and-registry-names%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fsecurity%2Fthreat-protection%2Fsecurity-policy-settings%2Fnetwork-access-restrict-clients-allowed-to-make-remote-sam-calls%23policy-and-registry-names%3C%2FA%3E%26nbsp%3Band%20you%20have%20to%20remove%20it%20yourself%20using%20group%20policy%20preferences%20or%20other%20means%20(script%3F).%3C%2FP%3E%0A%3CP%3EIn%20regards%20to%20the%20documentation%20around%20that%20requirement%2C%20we%20will%20take%20your%20feedback%20under%20advisement.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1147432%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20ATP%20SAM-R%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1147432%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F215466%22%20target%3D%22_blank%22%3E%40Or%20Tsemah%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3EIn%20the%20documentation%20it%20says%20the%20fix%20is%20to%20unlink%20the%20GPO.%3C%2FP%3E%3CP%3EWhen%20the%20GPO%20is%20unlinked%2C%20the%20default%20settings%20should%20apply.%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fsupport.microsoft.com%2Fen-us%2Fhelp%2F4055652%2Faccess-checks-fail-because-of-authz-access-denied-error-in-windows-ser%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fsupport.microsoft.com%2Fen-us%2Fhelp%2F4055652%2Faccess-checks-fail-because-of-authz-access-denied-error-in-windows-ser%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CH4%20id%3D%22toc-hId--711618251%22%20id%3D%22toc-hId--711618251%22%3EMethod%202%3A%20Disable%20the%20policy%3C%2FH4%3E%3CP%20class%3D%22ng-scope%22%3EClear%20the%20%3CSTRONG%3ERestrictRemoteSAM%3C%2FSTRONG%3E%20registry%20entry%20%3CSTRONG%3Eor%3C%2FSTRONG%3E%20remove%20the%20policy.%3C%2FP%3E%3CP%20class%3D%22ng-scope%22%3E%26nbsp%3B%3C%2FP%3E%3CP%20class%3D%22ng-scope%22%3EThe%20documentation%20states%20%22or%22%2C%20not%20%22and%22%3C%2FP%3E%3CP%20class%3D%22ng-scope%22%3E%26nbsp%3B%3C%2FP%3E%3CP%20class%3D%22ng-scope%22%3EIf%20that%20is%20applied%20to%20thousands%20of%20computers%2C%20manually%20removal%20it's%20not%20an%20option....%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Occasional Contributor

Hi everyone.

Context:

One of the AATP prerequisites is the SAM-R GPO.

https://docs.microsoft.com/en-us/azure-advanced-threat-protection/install-atp-step8-samr

The link above describes how the gpo should be configured.

However, the documentation is ambiguous on multiple aspects.

A note posted on this page

https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network...

tells you that if you are configuring this GPO, you might break OAB (if you are running Exchange 2013/2016 in your environment).

 

There are some fixes proposed:

https://support.microsoft.com/en-us/help/4055652/access-checks-fail-because-of-authz-access-denied-e...

- unlink the gpo (that is required for AATP) and probably loose LMP

- configure the gpo to filter out domain controllers, and allow also exchange server groups.

- hardest one: implement policy in audit mode, identify the apps using AuthZ and then add the required accounts in the allowed list.

If you have other applications using AuthZ, those might stop working...

 

With the GPO enabled I can confirm it breaks building OAB in my lab.

I can also confirm that creating a GPO from a w2016 machine, and applying it to w2012 machines, the settings are there (checked with remote registry from a W2016 machine)

 

I can also confirm that not implementing the GPO, I still see some lateral movement paths built (at lease in the reports), but not for all the objects...

 

In the use case where you have windows 2012, 2012 r2, 2016, exchange 2016, and windows 10 clients in the environment, what is Microsoft's AATP product team recommendation to have LMP available without breaking anything?

5 Replies
Highlighted

@mcliviu 

Hi,

Logically, solutions other the Azure ATP might require that GPO, hence, your LOB apps might break if another app enables it so we suggest that you identity and add all required accounts into that policy to avoid "breaking" things. This does take some effort but the lateral movement paths feature is a very important feature for Azure ATP (and about to get even bigger, stay tuned!)

 

Hope this helps

Or.

 

Highlighted

@mcliviu have you ever looked at the baseline security policies for Windows?

 

https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-security-baselines

 

It specifies the following should be set for Windows clients and member servers

Network access: Restrict clients allowed to make remote calls to SAM

O:BAG:BAD:(A;;RC;;;BA)

 

Domain Controllers are listed as blank. Which I think is required to allow a DC to work correctly.

 

I thought by default the remote SAM was open to Anon access? Or is that when the domain has gone through upgrades from early versions? So if it's not open, I would have thought you already had a GPO in place that was locking it down? If you're locking it down via GPO you should be able to add the AATP account to that GPO.

 

Highlighted

@Or Tsemah 

Hi,

 

My understanding is that on the older versions of OS, everyone has read only access.

However, on the newer versions, and the OS patched in the list below, this GPO is required to allow SAM-R.

Windows 10, version 1607 and later
Windows 10, version 1511 with KB 4103198 installed
Windows 10, version 1507 with KB 4012606 installed
Windows 8.1 with KB 4102219 installed
Windows 7 with KB 4012218 installed
Windows Server 2016
Windows Server 2012 R2 withKB 4012219 installed
Windows Server 2012 with KB 4012220 installed
Windows Server 2008 R2 with KB 4012218 installed

Now, MS recommends to enable the GPO in audit mode first to identify the apps that might require access, in order to avoid breaking things...

 

The issue in my case, is that unlinking the GPO, still doesn't fix OAB, and I think there can be other issues as well.

I was expecting the AATP documentation to be very clear and specific, unfortunately, it's not the case...

In the prod env, SAM-R is built for some accounts, but not for others, therefore the guideline of enabling AATP SAM-R is a bit inconsistent...

 

Highlighted

@mcliviu 

Keep in mind that unlinking the GPO does not remove it's associated registry setting defined in https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network... and you have to remove it yourself using group policy preferences or other means (script?).

In regards to the documentation around that requirement, we will take your feedback under advisement.

 

Highlighted

@Or Tsemah 

Hi,

In the documentation it says the fix is to unlink the GPO.

When the GPO is unlinked, the default settings should apply.

https://support.microsoft.com/en-us/help/4055652/access-checks-fail-because-of-authz-access-denied-e...

 

Method 2: Disable the policy

Clear the RestrictRemoteSAM registry entry or remove the policy.

 

The documentation states "or", not "and"

 

If that is applied to thousands of computers, manually removal it's not an option....