Information
This policy setting allows you to restrict remote RPC connections to SAM.
The recommended state for this setting is: Administrators: Remote Access: Allow.
Note: A Windows 10 R1607, Server 2016 or newer OS is required to access and set this value in Group Policy.
Rationale:
To ensure that an unauthorized user cannot anonymously list local account names or groups and use the information to attempt to guess passwords or perform social engineering attacks. (Social engineering attacks try to deceive users in some way to obtain passwords or some form of security information.)
Impact:
None - this is the default behavior.
Solution
To establish the recommended configuration, set the following Device Configuration Policy to Allow: O:BAG:BAD:(A;;RC;;;BA):
To access the Device Configuration Policy from the Intune Home page:
Click Devices
Click Configuration profiles
Click Create profile
Select the platform (Windows 10 and later)
Select the profile (Endpoint protection)
Click Create
Enter a Name
Click Next
Configure the following Setting
Path: Endpoint protection/Local device security options/Network access and security
Setting Name: Restrict remote RPC connections to SAM
Configuration: Allow: O:BAG:BAD:(A;;RC;;;BA)
Select OK
Continue through the Wizard to complete the creation of the profile (profile assignments, applicability etc.)
Note: More than one configuration setting from each of the Configuration profiles (ex: Administrative Templates, Custom etc.) can be added to each Device Configuration Policy.
Note #2: This setting can also be created via a Custom Configuration Profile using the following OMA-URI:
Name: <Enter name>
Description: <Enter Description>
OMA-URI: ./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/NetworkAccess_RestrictClientsAllowedToMakeRemoteCallsToSAM
Data type: String
Value: O:BAG:BAD:(A;;RC;;;BA)
Select OK
Continue through the Wizard to complete the creation of the profile (profile assignments, applicability etc.)
Default Value:
Administrators: Remote Access: Allow.