none
SAMRi10 - SAMR calls on Windows 10 logoff RRS feed

  • Question

  • We are looking into activating the GPO setting "Restrict clients allowed to make remote calls SAM" to prevent recon attacks on our domain controllers. (SAMRi10)

    I'm testing this GPO setting on a 2016 Domain Controller in a LAB environment using Audit Only Mode. When logging off from a domain joined Windows 10 system, a SAMR call is initiated by the SID of the useraccount which is going to logoff. (verified by Network Monitor and Microsoft Message Analyzer captures).

    Windows 2016 logon/logoff do not trigger a SAMR call to the DC.

    Activating Audit Only Mode in a production environment will lead to a huge amount of audit events on the DC's at the end of the day when everybody is logging off from the Windows 10 clients. So this means every user needs to have SAMR access in order to make the SAMR call at logoff, which makes the policy really useless on Domain Controllers. Next step is to disable Audit Only Mode to activate the SAMR policy: The question is, what will happen to the Windows 10 session / AD account if the SAMR calls is blocked on logoff?

    Is this SAMR call a piece of legacy code in Windows 10 or will it break something when blocking this SAMR call?

    Wednesday, September 4, 2019 10:32 AM

All replies