en-US - - English

2. SecPol (SAM) Settings

Restrict clients allowed to make remote calls to SAM


For the RCP-client some additional settings are required on Microsoft Windows targets (for more information, please click on the link:  Restrict clients allowed to make remote calls to SAM ):

  1. Type 'secpol.msc' in the start menu search field, and open the App:

          

  1. Visit this section: Security Settings / Local Policies / Security Options


  2. Find this Policy at the right tab (pushing 'n' makes it easier): 'Network access: Restrict clients allowed to make remote calls to SAM'



  3. At the beginning, it's Security Setting status will be: Not defined

    Double-click on that entry, and Edit Security...

  4. Use the Add... button to recognise groups or individual accounts to be added. (this way the RCP-client will receive the access to change their passwords)

         

5. We recommend to add account names separately to be sure, they will receive the rights.

         

Once you finished with settings, the Security Setting status will definitely display hexadecimal keys.


SAM settings by defining new groups (optional)

For ease of user management, it is advised to create a separate group and than add this groupt o the list. To create a group, navigate to Local Users and Groups window - or simply sun the lusrmgr.mcs command in the command line. Next, add the users (that we want to manage in PassMan) to this group.

         

Finally the group has to be added to the security settings, as it is shown on the screenshot below.

         

These adjustments needed to be done since the release of Microsoft Windows 10 (version 1607) and Microsoft Windows Server 2016.

         

On these versions the default settings had been changed, so only the built-in Administrator group has got all these privileges. (On the Domain Controller (DC) machines, these settings had not been changed, meaning all user can (by default) use Remote Access.) Important to notice, that the older versions of Microsoft Windows also include these settings and an Administrator can any time overwrite the default Security Descriptor settings. Unfortunately this means that in a real-life situation this can be a highly common problem.