Microsoft Entra Suite Tech Accelerator
Aug 14 2024, 07:00 AM - 09:30 AM (PDT)
Microsoft Tech Community

Question on configuring SAM-R to enable lateral movement path detection

Iron Contributor
Hey Defender Peeps,
 
Referring to this KB from MS -Configure SAM-R to enable lateral movement path detection - Microsoft Defender for Identity | Micros... Seeking some advice on "configuring SAM-R to enable lateral movement path detection in Microsoft Defender for Identity". Customer don't currently have the "Network access - Restrict clients allowed to make remote calls to SAM" policy defined within their environment, and unsure of the implication of doing so – assume by enabling the policy across their domain (excluding Domain Controllers) and adding the Directory Service account with Remote Access, any other accounts currently making remote calls to SAM will start failing?.
 
The MS documentation around the policy setting itself mentions the ability to configure audit-only mode for the change, but applying that across the PROD environment means we'd be needing to look for 8 different event IDs across every server/workstation in every domain in order to figure out what other accounts are making remote calls to SAM and what (i.e. it will take a significant amount of time).
 
Can someone advise what Best Practice would be followed for enabling the policy/what accounts should be added in addition to the Directory Service account? 
 
Any thoughts/advises are highly appreciated 
 
Thank you !!
2 Replies
By default, the SAM can be accessed remotely via SAMR by any authenticated user. So, to be honest, I don't see why you need to set it in the first place. Since you need to set a Directory Service Account, it is always authenticated and should use the SAM-R protocol anyway.

And the "Access this computer from the network setting" is not needed if you didn't set it:
"The setting is not enabled by default. If you have not enabled it previously, you don't need to modify it to allow Defender for Identity to make remote calls to SAM."

I can confirm at the program team and come back on this one.
Ok, since Windows 10 1607+ and Windows Server 2016+ it changed. SAMR is now restricted to the built-in administrators group. So, if you want to see the "lateral movement paths" in Microsoft 365, you need to configure the Directory Service Account to access the SAM remotely using RPC on every server. It doesn't apply to DC's as every authenticated user can still access the SAM remotely due to compatibility.

"The default security descriptor on computers beginning with Windows 10 version 1607 and Windows Server 2016 allows only the local (built-in) Administrators group remote access to SAM on non-domain controllers, and allows Everyone access on domain controllers"

Source; https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/networ...

I guess that changing the policy where the security descriptor "Administrators" is already added and adding the Directory Service Account isn't impacted at all on Windows 10 1607+ and Windows Server 2016+. it does affect older version of Windows though, but then you can use auditing described in the following link:

https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/networ...

Monitor for a few weeks, check if any audits are saved and make the decision if it impacts the server for pre-Windows 10 1607 and Windows Server 2016.

Hope this helps!