From b22ecac4fbdb4995268d70c3aa827f454836e0b0 Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Thu, 25 May 2017 16:43:30 -0700 Subject: [PATCH] revised policy info --- ...lients-allowed-to-make-remote-sam-calls.md | 32 +++++++++---------- 1 file changed, 16 insertions(+), 16 deletions(-) diff --git a/windows/device-security/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls.md b/windows/device-security/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls.md index bc4a6ef39a..6b8b6efa84 100644 --- a/windows/device-security/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls.md +++ b/windows/device-security/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls.md @@ -51,25 +51,27 @@ You can edit the default security descriptor to allow or deny other users and gr The default security descriptor on computers that run earlier versions of Windows does not restrict any remote calls to SAM, but an administrator can edit the security descriptor to enforce restrictions. This less restrictive default allows for testing the impact of enabling restrictions on existing applications. -## Possible values -- Not defined -- Defined, along with the security descriptor for users and groups who are allowed or denied remote access to local SAM and Active directory using SAMRPC. +## Policy and Registry Names -## Location +| | | +|----|---| +| Policy Name | Network access: Restrict clients allowed to make remote calls to SAM | +| Location | `Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Option` | +| Possible values |
- Not defined
- Defined, along with the security descriptor for users and groups who are allowed or denied to use SAMRPC to remotely access either the local SAM or Active Directory. | +| Registry location | `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\RestrictRemoteSam` | +| Registry type | REG_DWORD | +| Registry values | A string that will contain the SDDL of the security descriptor to be deployed to the following registry setting. | -On computers that run Windows Server 2016 and Windows 10, version 1607 and later, you can edit this security policy setting in the following location in the Group Policy Management Console: - -Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options - -This policy setting controls a string that will contain the SDDL of the security descriptor to be deployed to the following registry setting: - -HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\RestrictRemoteSam +The Group Policy setting is only available on computers that run Windows Server 2016 or Windows 10, version 1607 and later. +This is the only option to configure this setting by using a user interface (UI). On computers that run earlier versions of Windows, you need to edit the registry setting directly or use Group Policy Preferences. To avoid setting it manually in this case, you can configure the GPO itself on a computer that runs Windows Server 2016 or Windows 10, version 1607 or later and have it apply to all computers within the scope of the GPO because the same registry key exists on every computer after the corresponding KB is installed. > [!NOTE] -This policy is implemented similarly to other Network access policies in that there is a single policy element at the registry path listed. There is no notion of a local policy versus an enterprise policy; there is just one policy setting and whichever writes last wins. For example, suppose a local administrator configures this setting as part of a local policy using the Local Security Policy snap-in (Secpol.msc), which edits that same registry path. If an enterprise administrator configures this setting as part of an enterprise GPO, that enterprise GPO will overwrite the same registry path. +> This policy is implemented similarly to other "Network access" policies in that there is a single policy element at the registry path listed. There is no notion of a local policy versus an enterprise policy; there is just one policy setting and whichever writes last wins. + +> For example, suppose a local administrator configures this setting as part of a local policy using the Local Security Policy snap-in (Secpol.msc), which edits that same registry path. If an enterprise administrator configures this setting as part of an enterprise GPO, that enterprise GPO will overwrite the same registry path. ## Default values Beginning with Windows 10, version 1607 and Windows Server 2016, computers have hard-coded and more restrictive default values than earlier versions of Windows. @@ -82,18 +84,16 @@ In other words, the hotfix in each KB article provides the necessary code and fu |---|---|---|---| |Windows Server 2016 domain controller (reading Active Directory)|“”|-|Everyone has read permissions to preserve compatibility.| |Earlier domain controller |-|-|No access check is performed by default.| -|Windows 10, version 1607 non-domain controller|(O:SYG:SYD:(A;;RC;;;BA)| Owner: NTAUTHORITY/SYSTEM (WellKnownGroup) (S-1-5-18)
Primary group: NTAUTHORITY/SYSTEM (WellKnownGroup) (S-1-5-18)
DACL:
• Revision: 0x02
• Size: 0x0020
• Ace Count: 0x001
• Ace[00]-------------------------
  AceType:0x00
  (ACCESS_ALLOWED_ACE_TYPE)
  AceSize:0x0018
  InheritFlags:0x00
  Access Mask:0x00020000
  AceSid: BUILTIN\Administrators (Alias) (S-1-5-32-544)

  SACL: Not present |Grants RC access (READ_CONTROL, also known as STANDARD_RIGHTS_READ) only to members of the local (built-in) Administrators group. | +|Windows 10, version 1607 non-domain controller|(O:SYG:SYD:(A;;RC;;;BA)| Owner: NTAUTHORITY/SYSTEM (WellKnownGroup) (S-1-5-18)
Primary group: NTAUTHORITY/SYSTEM (WellKnownGroup) (S-1-5-18)
DACL:
• Revision: 0x02
• Size: 0x0020
• Ace Count: 0x001
• Ace[00]-------------------------
  AceType:0x00
  (ACCESS\_ALLOWED_ACE_TYPE)
  AceSize:0x0018
  InheritFlags:0x00
  Access Mask:0x00020000
  AceSid: BUILTIN\Administrators (Alias) (S-1-5-32-544)

  SACL: Not present |Grants RC access (READ_CONTROL, also known as STANDARD_RIGHTS_READ) only to members of the local (built-in) Administrators group. | |Earlier non-domain controller |-|-|No access check is performed by default.| ## Policy management This section explains how to configure audit-only mode, how to analyze related events that are logged when the **Network access: Restrict clients allowed to make remote calls to SAM** security policy setting is enabled, and how to configure event throttling to prevent flooding the event log. - - ### Audit only mode -Audit only mode configures the SAM interface to do the access check against the currently configured security descriptor but will not fail the call if the access check fails. Instead, the call will be allowed, but the SAM interface will log an event describing what would have happened if the feature had been enabled. This provides administrators a way to test their applications before enabling the policy in production. Audit only mode is not configured by default. To configure it, add the following registry setting. +Audit only mode configures the SAMRPC protocol to do the access check against the currently configured security descriptor but will not fail the call if the access check fails. Instead, the call will be allowed, but SAMRPC will log an event describing what would have happened if the feature had been enabled. This provides administrators a way to test their applications before enabling the policy in production. Audit only mode is not configured by default. To configure it, add the following registry setting. |Registry|Details| |---|---|