Domain Controller Blocking SAMR Request

JukEboX

6/22/24, 11:16 AM

I have a software that is used for monitoring user logins. In the software it uses a SAMR request to get user groups for allowing users in an out of the machine. When the software reaches out with a SAMR request for the groups it looks like it is getting blocked by the Domain Controller. I think maybe from the firewall because if I install it on the Domain Controller, it succeeds.

How can I test the SAMR request and see if I can get logging on it or what Firewall rules do I need to create to allow SAMR to be allowed to complete?

1 + 0

security

windows-server-2016

security-groups

Score:1

Server

Greg Askew

6/22/24, 11:31 AM

Check the RestrictRemoteSAM registry value. The default settings for that were changed in Windows 10 version 1607 and Windows Server 2016.

It may also be a policy setting "Network access: Restrict clients allowed to make remote calls to SAM"

https://blog.netwrix.com/2022/11/18/making-internal-reconnaissance-harder-using-netcease-and-samri1o/

https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls

Note that SAMR uses tcp/445 as with any other file share, so this typically is not something the host-based firewall would deal with. Additionally, SAMR has a high affinity for a single domain controller (PDCe), so using the legacy SAMR protocol doesn't scale and may cause other difficult to solve problems that linger. SAMR has one very specific use case, and beyond that, the only usage I have seen over the years has been either inadvertent (that causes huge problems), and threat actors exploiting vulnerabilities in ancient protocols.

+ 1

JukEboX

6/23/24, 8:44 PM

Just to add more information to this answer. The registry where RestrictRemoteSAM is located was set to Administrators on a Domain controller where on Domain controllers it should be not defined.

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Domain Controller Blocking SAMR Request

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.