Install ATA - Step 9
Applies to: Advanced Threat Analytics version 1.9
Note
Before enforcing any new policy, always make sure that your environment remains secure, without impacting application compatibility by first enabling and verifying your proposed changes in audit mode.
Step 9: Configure SAM-R required permissions
The lateral movement path detection relies on queries that identify local admins on specific machines. These queries are performed using the SAM-R protocol, via the ATA Service account created in Step 2. Connect to AD.
To ensure that Windows clients and servers allow the ATA service account to perform this SAM-R operation, a modification to your Group policy must be made that adds the ATA service account in addition to the configured accounts listed in the Network access policy. This group policy should be applied for every device in your organization.
Locate the policy:
- Policy Name: Network access - Restrict clients allowed to make remote calls to SAM
- Location: Computer configuration, Windows settings, Security settings, Local policies, Security options
Add the ATA service to the list of approved accounts able to perform this action on your modern Windows systems.
The ATA Service (the ATA service created during installation) now has the proper privileges to perform SAM-R in the environment.
For more information on SAM-R and Group Policy, see Network access: Restrict clients allowed to make remote calls to SAM.
Access this computer from the network setting
If you've defined the Access this computer from the network setting in any GPO that applies to computers in your domain, you need to add the ATA service account to the list of allowed accounts for that setting:
Note
The setting is not enabled by default. If you have not enabled it previously, you don't need to modify it to allow Defender for Identity to make remote calls to SAM.
To add the service account, go to the policy and navigate to Computer Configuration -> Policies -> Windows Settings -> Local Policies -> User Right Assignment. Then open the setting Access this computer from the network.
Then add the ATA service account to the list of approved accounts.
See Also
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for