STIGQter STIGQter: STIG Summary: Windows Server 2016 Security Technical Implementation Guide Version: 1 Release: 10 Benchmark Date: 24 Jan 2020: Remote calls to the Security Account Manager (SAM) must be restricted to Administrators.

DISA Rule

SV-88341r2_rule

Vulnerability Number

V-73677

Group Title

SRG-OS-000324-GPOS-00125

Rule Version

WN16-MS-000310

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Navigate to the policy Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Network access: Restrict clients allowed to make remote calls to SAM".
Select "Edit Security" to configure the "Security descriptor:".

Add "Administrators" in "Group or user names:" if it is not already listed (this is the default).

Select "Administrators" in "Group or user names:".

Select "Allow" for "Remote Access" in "Permissions for "Administrators".

Click "OK".

The "Security descriptor:" must be populated with "O:BAG:BAD:(A;;RC;;;BA) for the policy to be enforced.

Check Contents

This applies to member servers and standalone systems; it is NA for domain controllers.

If the following registry value does not exist or is not configured as specified, this is a finding.

Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \SYSTEM\CurrentControlSet\Control\Lsa\

Value Name: RestrictRemoteSAM

Value Type: REG_SZ
Value: O:BAG:BAD:(A;;RC;;;BA)

Vulnerability Number

V-73677

Documentable

False

Rule Version

WN16-MS-000310

Severity Override Guidance

This applies to member servers and standalone systems; it is NA for domain controllers.

If the following registry value does not exist or is not configured as specified, this is a finding.

Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \SYSTEM\CurrentControlSet\Control\Lsa\

Value Name: RestrictRemoteSAM

Value Type: REG_SZ
Value: O:BAG:BAD:(A;;RC;;;BA)

Check Content Reference

M

Target Key

3157

Comments