Detections
Analytics

1.212 WN10-SO-000167

Information

Remote calls to the Security Account Manager (SAM) must be restricted to Administrators.

GROUP ID: V-220933RULE ID: SV-220933r1081053

The Windows SAM stores users' passwords. Restricting remote rpc connections to the SAM to Administrators helps protect those credentials.

Solution

Navigate to the policy

Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> 'Network access: Restrict clients allowed to make remote calls to SAM'

.

Select 'Edit Security' to configure the 'Security descriptor:'.

Add 'Administrators' in 'Group or user names:' if it is not already listed (this is the default).

Select 'Administrators' in 'Group or user names:'.

Select 'Allow' for 'Remote Access' in 'Permissions for 'Administrators'.

Click 'OK'.

The 'Security descriptor:' must be populated with 'O:BAG:BAD:(A;;RC;;;BA) for the policy to be enforced.

See Also

https://workbench.cisecurity.org/benchmarks/23869

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-6(10), CCI|CCI-002235, Rule-ID|SV-220933r1081053_rule, STIG-ID|WN10-SO-000167, Vuln-ID|V-220933

Plugin: Windows

Control ID: 912838b9356013813def39c5771c998eb18a08e4b3a5b6a45c11be37dd158965