SAMRi10 - Hardening SAM Remote Access in Windows 10/Server 2016

"SAMRi10" tool is a short PowerShell (PS) script which alters remote SAM access default permissions on Windows 10 & Windows Server 2016. This hardening process prevents attackers from easily getting some valuable recon information to move laterally within their victim's network.

SAMRi10.zip
 
 
 
 
 
5 Star
(4)
6,405 times
Add to favorites
Security
12/11/2016
E-mail Twitter del.icio.us Digg Facebook
Sign in to ask a question


  • Issues with MIM-PAM Setup and Exchange
    1 Posts | Last post November 16, 2017
    • Hi,
      when restricting permissions to only Administrators (on DCs), the setup of MIM-PAM on a member server in that domain fails with an Access Denied Error.
      In the same scenario the Offline Address Book on an Exchange 2013 server could no longer be generated. 
      In both cases adding Everyone (just for testing) immediately solved the issues. 
      Obviously that's not what we want to use. Is there any guidance by MS on how restrictive this setting can/should be configured on DCs?
      Regards
  • sajid shamir
    1 Posts | Last post August 31, 2017
    • hey,
      if we run this script on windows 2016 domain controller, will it protect the client
      machine as well or we have to run this script separately on each machine in that case or use any sort of GPO ?
      Regards
  • terminal services 2012
    2 Posts | Last post July 20, 2017
    • when this is enabled on a 2016 DC, it stops 2012R2 server with applied terminal services license from allowing logins. 
    • It also stops 2008 R2 terminal servers. The problem was fixed by making sure the “Network access: Restrict clients allowed to make remote calls to SAM” setting is applied only to member servers, not the DCs.
  • Verified on the following
    1 Posts | Last post April 25, 2017
    • The "Verified on the following platforms" table at the end of the description doesn't include Server 2016. Has this been verified on 2016? If so why isn't it included in the table?
  • Previous versions of Windows vulnerability
    2 Posts | Last post December 11, 2016
    • Hi, 
      
      Does this finding exposes potential vulnerability regarding previous operating systems? Do you think that Microsoft will release a global update that will address this or is it something we shouldn't worry about?
      
      Thanks!
    • I would say it's more of a matter of a problematic configuration. If you install latest and greatest Windows version you wouldn't need to worry about it.
  • Difference between this and NetCease?
    2 Posts | Last post December 11, 2016
    • Hey Itai, I was wondering what the difference between SAMRi10 and NetCease (https://gallery.technet.microsoft.com/Net-Cease-Blocking-Net-1e8dcb5b) is. Thanks in advance.
    • Hi Sebastian,
      SAMRi10 and NetCease are two different tools which tackle two types of reconnaissance attacks. NetCease (https://gallery.technet.microsoft.com/Net-Cease-Blocking-Net-1e8dcb5b) blocks the Net Session Enumeration recon that is used for getting information on the IP addresses of logged on users. SAMRi10 hardens the remote access for queries to the security accounts manager (SAM) on Windows 10/Server 2016.
  • Windows 10 on a non 2016 Domain?
    2 Posts | Last post December 04, 2016
    • If I have Windows 10 on my Domain, do I need to have server 2016 domain controller? Or will this still protect my Windows 10 users/systems on a 2012 or lower DC?
    • Hi,
      You can run this script to protect your Windows 10 machines from SAM-R recon attack attempts (local users/groups), no matter which version of domain controller you have. 
      If you want to protect your domain from SAM-R recon attempts for domain users/groups, you'll need to have a 2016 domain controller and run this script on it.