Issue:
IT Helpdesk or desktop admins are not able to rename a
computer that is already a member of a domain. Similarly, they have issues in
resetting the user’s password remotely.
Environment:
Windows Server 2016 Domain Controllers hardened with STIG/CIS
benchmark
Reference:
The SAMRPC protocols makes it possible for a low-level or
non-privileged user to query a machine on network for information. Generally, a
user can use SAMRPC to enumerate users, including privileged accounts such as
local or domain administrators, or to enumerate groups and group membership
from local SAM and Active Directory. An attacker can use this information as
starting point to compromise a domain or network.
To mitigate this risk, configure ‘Network access: Restrict clients allowed to make remote calls to SAM’
security policy setting to force the security account manager (SAM) to do an
access check against remote calls.
By default security descriptor on computers beginning with
Windows 10 version 1607 and Windows Server 2016 allows only the local
(Built-in) Administrators group remote access to SAM on member servers, and
allow Everyone access to domain controllers.
CIS Benchmark also recommend allowing only Administrators on
MS only.
Problem start with if the Domain Controllers are also configured
with same security policy setting.
Solution:
This security policy setting can be configured to allow
low-level or non-privileged account either through group policy or registry
setting on each DC.
Security Consideration:
The SAMRPC protocol has a default security posture that
makes it possible for low-privileged attackers to query a machine on the
network for data that is critical to their further hacking and penetration
plans.
The following example illustrates how an attacker might
exploit remote SAM enumeration:
1. A
low-privileged attacker gains a foothold on a network.
2. The
attacker then queries all machines on the network to determine which ones have
a highly privileged domain user configured as a local administrator on that
machine.
3. If
the attacker can then find any other vulnerability on that machine that allows
taking it over, the attacker can then squat on the machine waiting for the
high-privileged user to logon and then steal or impersonate those credentials.
Countermeasure
You can mitigate this vulnerability by enabling the Network
access: Restrict clients allowed to make remote calls to SAM security policy
setting and configuring the SDDL for only those accounts that are explicitly allowed
access.