Microsoft researchers Itai Grady and Tal Be’ery have released another tool to help admins harden their environment against reconnaissance attacks: SAMRi10 (pronounced “Samaritan”).
User2 (non-admin) gets access denied by SAMRi10 when calling Net User remotely to a hardened Domain Controller
Both the Net Cease tool they released in October and SAMRi10 are simple PowerShell scripts and are aimed at preventing attackers that are already inside a corporate network from mapping it out and find their next target (workstation, server, etc.)
The former does so by altering Net Session Enumeration (NetSessionEnum) default permissions, the latter by altering remote SAM access default permissions.
“Querying the Windows Security Account Manager (SAM) remotely via the SAM-Remote (SAMR) protocol against their victim’s domain machines, allows the attackers to get all domain and local users with their group membership and map possible routes within the victim’s network,” the researchers noted, adding that some attack frameworks have already automated that mapping process.
“Prior to Windows 10 and Windows Server/DC 2016 the option to limit remote access to SAM didn’t exist. With Win 10 and Win 10 anniversary edition, the SAMRi10 will limit the remote access to Local Administrators/Domain Admins and any member of ‘Remote SAM Users’ (admin or non-admin),” Grady explained to me in an email.
“Hardening Windows 10 workstations and Windows Server 2016 will limit the access to their local accounts and groups info over remote SAM. Hardening Domain Controller 2016 (promoted Windows Server 2016) will limit the access to the domain accounts and groups info over remote SAM.”
The tool is intended only for Windows 10 versions and Windows Server 2016, because older Windows versions don’t look at the registry setting used to configure the remote access to SAM. “So even if the script will add it to their registry, the SAM server will ignore it,” he pointed out.
SAMRi10 can be downloaded from here. Instructions for installation and use are included in the ZIP file.