Applies to: Advanced Threat Analytics version 1.9
Install ATA - Step 9
Step 9. Configure SAM-R required permissions
The lateral movement path detection relies on queries that identify local admins on specific machines. These queries are performed using the SAM-R protocol, via the ATA Service account created in Step 2. Connect to AD.
To ensure that Windows clients and servers allow the ATA service account to perform this SAM-R operation, a modification to your Group policy must be made that adds the ATA service account in addition to the configured accounts listed in the Network access policy.
Locate the policy:
- Policy Name: Network access - Restrict clients allowed to make remote calls to SAM
- Location: Computer configuration, Windows settings, Security settings, Local policies, Security options
Add the ATA service to the list of approved accounts able to perform this action on your modern Windows systems.
The ATA Service (the ATA service created during installation) now has the proper privileges to perform SAM-R in the environment.
Before enforcing new policies, make sure that your environment remains secure, without impacting application compatibility by enabling and verifying your proposed changes in audit mode.
For more information on SAM-R and Group Policy, see Network access: Restrict clients allowed to make remote calls to SAM.