Microsoft script prevents Win10, WinServer 2016 from giving up recon data

Microsoft’s efforts to improve defences of its operating system have paid off with the release of Windows 10.  As noted this week in McAfee Labs’ 2017 predictions, it isn’t easy to penetrate a fully patched Microsoft Edge browser running on a 64-bit Windows 10 OS. Attackers would have to combine several high-quality vulnerabilities with advanced exploitation techniques.

That doesn’t mean Win10 and Windows Server 2016 can’t be nailed tighter. This week Microsoft Advanced Threat Analytics team did that by releasing a short PowerShell script to help admins prevent attackers who successfully breach the network from easily getting some valuable reconnaissance information so they can move laterally through a victim’s network.

Dubbed SAMRi10 (pronounced samaritan), it shuts the door on an attacker’s ability to remotely query the Windows Security Account Manager (SAM) on devices to get  Windows domain information and map the network.

When attackers breach the network usually their goal is to find and compromise the credentials of privileged users so they can discover and exfiltrate key data. By default, the SAM can be accessed remotely (via SAMR remote protocol) by any authenticated user, including network connected users, which effectively means that any domain user is able to access it. As the TechNet blog notes, Win10 has an option to control the remote access to the SAM through a specific registry value. The default permissions were changed this year with the Windows Anniversary update (Windows 10 Version 1607) allow remote access only to administrators.

Now, to give admins granular control over remote access to SAM for all Windows 10 versions SAMRi10 has been created. It alters these default permissions on all Windows 10 versions and Windows Server 2016. The SAMRi10 script hardens the remote access to the SAM by giving permission for members of administrators group or the newly created group (also by this script) named “Remote SAM Users.” This will allow any administrator or any service/user account added to the “Remote SAM Users” local group to remotely access SAM on the hardened machine.

To use the new tool all that has to be done is run the SAMRi10 PowerShell script as administrator on the machine you wish to harden (Windows 10/Server 2016+)

Microsoft notes a Windows Server 2016 domain controller hardened by the SAMRi10 tool, will respond differently to a remote SAM access, based upon the requesting user account type:

  • Domain Admin account: Querying a hardened domain controller, with the “Net User/Group” for example, will be completed successfully.
  • Non-privileged User account: Querying a hardened domain controller, with the “Net User/Group” for example, will result with an “Access is denied” error.
  • Member of “Remote SAM Users”: Querying a hardened domain controller, with the “Net User/Group” for example, will be completed successfully.

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.


Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@] soloreporter.com

Featured Articles

Cybersecurity in 2024: Priorities and challenges for Canadian organizations 

By Derek Manky As predictions for 2024 point to the continued expansion...

Survey shows generative AI is a top priority for Canadian corporate leaders.

Leaders are devoting significant budget to generative AI for 2024 Canadian corporate...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now