Configure Azure ATP to make remote calls to SAM
Azure ATP lateral movement path detection relies on queries that identify local admins on specific machines. These queries are performed with the SAM-R protocol, using the Azure ATP Service account created during Azure ATP installation Step 2. Connect to AD.
Configure SAM-R required permissions
To ensure Windows clients and servers allow your Azure ATP account to perform SAM-R, a modification to Group Policy must be made to add the Azure ATP service account in addition to the configured accounts listed in the Network access policy. Make sure to apply group policies to all computers.
Before enforcing new policies such as this one, it is critical to make sure that your environment remains secure, and any changes will not impact your application compatibility. Do this by first enabling and then verifying compatibility of proposed changes in audit mode before making changes to your production environment.
Locate the policy:
- Policy Name: Network access - Restrict clients allowed to make remote calls to SAM
- Location: Computer configuration, Windows settings, Security settings, Local policies, Security options
Add the Azure ATP service to the list of approved accounts able to perform this action on your modern Windows systems.
AATP Service (the Azure ATP service created during installation) now has the privileges needed to perform SAM-R in the environment.
For more on SAM-R and this Group Policy, see Network access: Restrict clients allowed to make remote calls to SAM.