Detections
Analytics

1.196 WN22-MS-000060

Information

Windows Server 2022 must restrict remote calls to the Security Account Manager (SAM) to Administrators on domain-joined member servers and standalone or nondomain-joined systems.

GROUP ID: V-254433
RULE ID: SV-254433r958726

The Windows SAM stores users' passwords. Restricting Remote Procedure Call (RPC) connections to the SAM to Administrators helps protect those credentials.

Solution

Navigate to the policy

Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> Network access: Restrict clients allowed to make remote calls to SAM

Select 'Edit Security' to configure the 'Security descriptor:'.

Add 'Administrators' in 'Group or user names:' if it is not already listed (this is the default).

Select 'Administrators' in 'Group or user names:'.

Select 'Allow' for 'Remote Access' in 'Permissions for 'Administrators'.

Click 'OK'.

The 'Security descriptor:' must be populated with 'O:BAG:BAD:(A;;RC;;;BA) for the policy to be enforced.

See Also

https://workbench.cisecurity.org/benchmarks/22357

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-6(10), CAT|II, CCI|CCI-002235, Rule-ID|SV-254433r958726_rule, STIG-ID|WN22-MS-000060, Vuln-ID|V-254433

Plugin: Windows

Control ID: 1070679bd2136e09d8041e6695c87a919d1c2794f4df9615d1211134171a8423