deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-22 13:53:39 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge branch 'master' into fix--MD037/no-space-in-emphasis

Browse Source
This commit is contained in:
Nick Schonning
2019-07-18 14:49:08 -04:00
committed by GitHub
parent 680646be9a 51515d6cce
commit ae0fb89541
399 changed files with 3344 additions and 2553 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
windows/security/threat-protection/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls.md
View File

@ -111,11 +111,11 @@ Audit only mode configures the SAMRPC protocol to do the access check against th
### Related events
There are corresponding events that indicate when remote calls to the SAM are restricted, what accounts attempted to read from the SAM database, and more. The following workflow is recommended to identify applications that may be affected by restricting remote calls to SAM:
1. Dump event logs to a common share.
2. Parse them with the [Events 16962 - 16969 Reader](https://gallery.technet.microsoft.com/Events-16962-16969-Reader-2eae5f1d) script.
3. Review Event IDs 16962 to 16969, as listed in the following table, in the System log with event source Directory-Service-SAM.
4. Identify which security contexts are enumerating users or groups in the SAM database.
5. Prioritize the callers, determine if they should be allowed or not, then include the allowed callers in the SDDL string.
1. Dump event logs to a common share.
2. Parse them with the [Events 16962 - 16969 Reader](https://gallery.technet.microsoft.com/Events-16962-16969-Reader-2eae5f1d) script.
3. Review Event IDs 16962 to 16969, as listed in the following table, in the System log with event source Directory-Service-SAM.
4. Identify which security contexts are enumerating users or groups in the SAM database.
5. Prioritize the callers, determine if they should be allowed or not, then include the allowed callers in the SDDL string.
|Event ID|Event Message Text|Explanation |
|---|---|---|
@ -152,9 +152,9 @@ This section describes how an attacker might exploit a feature or its configurat
### Vulnerability
The SAMRPC protocol has a default security posture that makes it possible for low-privileged attackers to query a machine on the network for data that is critical to their further hacking and penetration plans. <br><br>
The following example illustrates how an attacker might exploit remote SAM enumeration:
1. A low-privileged attacker gains a foothold on a network.
2. The attacker then queries all machines on the network to determine which ones have a highly privileged domain user configured as a local administrator on that machine.
3. If the attacker can then find any other vulnerability on that machine that allows taking it over, the attacker can then squat on the machine waiting for the high-privileged user to logon and then steal or impersonate those credentials.
1. A low-privileged attacker gains a foothold on a network.
2. The attacker then queries all machines on the network to determine which ones have a highly privileged domain user configured as a local administrator on that machine.
3. If the attacker can then find any other vulnerability on that machine that allows taking it over, the attacker can then squat on the machine waiting for the high-privileged user to logon and then steal or impersonate those credentials.
### Countermeasure
You can mitigate this vulnerability by enabling the **Network access: Restrict clients allowed to make remote calls** to SAM security policy setting and configuring the SDDL for only those accounts that are explicitly allowed access.