Microsoft’s efforts to improve defences of its operating system have paid off with the release of Windows 10. As noted this week in McAfee Labs’ 2017 predictions, it isn’t easy to penetrate a fully patched Microsoft Edge browser running on a 64-bit Windows 10 OS. Attackers would have to combine several high-quality vulnerabilities with advanced exploitation techniques.
That doesn’t mean Win10 and Windows Server 2016 can’t be nailed tighter. This week Microsoft Advanced Threat Analytics team did that by releasing a short PowerShell script to help admins prevent attackers who successfully breach the network from easily getting some valuable reconnaissance information so they can move laterally through a victim’s network.
Dubbed SAMRi10 (pronounced samaritan), it shuts the door on an attacker’s ability to remotely query the Windows Security Account Manager (SAM) on devices to get Windows domain information and map the network.
When attackers breach the network usually their goal is to find and compromise the credentials of privileged users so they can discover and exfiltrate key data. By default, the SAM can be accessed remotely (via SAMR remote protocol) by any authenticated user, including network connected users, which effectively means that any domain user is able to access it. As the TechNet blog notes, Win10 has an option to control the remote access to the SAM through a specific registry value. The default permissions were changed this year with the Windows Anniversary update (Windows 10 Version 1607) allow remote access only to administrators.
Now, to give admins granular control over remote access to SAM for all Windows 10 versions SAMRi10 has been created. It alters these default permissions on all Windows 10 versions and Windows Server 2016. The SAMRi10 script hardens the remote access to the SAM by giving permission for members of administrators group or the newly created group (also by this script) named “Remote SAM Users.” This will allow any administrator or any service/user account added to the “Remote SAM Users” local group to remotely access SAM on the hardened machine.
To use the new tool all that has to be done is run the SAMRi10 PowerShell script as administrator on the machine you wish to harden (Windows 10/Server 2016+)
Microsoft notes a Windows Server 2016 domain controller hardened by the SAMRi10 tool, will respond differently to a remote SAM access, based upon the requesting user account type:
- Domain Admin account: Querying a hardened domain controller, with the “Net User/Group” for example, will be completed successfully.
- Non-privileged User account: Querying a hardened domain controller, with the “Net User/Group” for example, will result with an “Access is denied” error.
- Member of “Remote SAM Users”: Querying a hardened domain controller, with the “Net User/Group” for example, will be completed successfully.
