(Deprecated) Windows GPO Configuration for Epiphany Collector
Note - this content is deprecated and retained for historic reasons. Please read Windows GPO Configuration for Epiphany Collector v2.0.
ABOUT THIS DOCUMENT
The guide outlines the process for applying a Windows Group Policy Object (GPO) to your organizations domain, for the purpose of allowing the Epiphany Intelligence Platform (EIP) to make remote calls to SAM. Allowing Epiphany to enumerate users and groups in the local Security Accounts Manager (SAM) database and Active Directory within your organizations domain will provide you with a qualitative risk based on your permission boundaries and privilege use. Once the GPO has been created, we will have to grant your EIP domain-joined service account the proper permissions to utilize the GPO. In the past Windows allowed a standard user the ability to enumerate the SAM on servers and workstations, which identifies who is in the local admin group, the RDP group, and whether there are local users, but after Microsoft implemented security updates, we must apply this GPO to provide the aforementioned information in the most secure way possible.
VERSION COMPATIBILITY
The document applies to the following software versions:
Windows 10, version 1607 and later
Windows 10, version 1511 with KB 4103198 installed
Windows 10, version 1507 with KB 4012606 installed
Windows 8.1 with KB 4102219 installed
Windows 7 with KB 4012218 installed
Warning: The configuration change introduced by this GPO must not be applied to domain controllers as they default to the same 'everyone' access to the local SAM as legacy versions of Windows regardless of their version. Domain controllers must be excluded from the GPO using a WMI filter. Failure to do so could break compatibility with applications such as Citrix as they interact with the domain controller's local SAM using low privileged accounts.
Warning: The configuration change introduced by this GPO can cause issues with legacy software on Windows versions not listed above. If your environment includes older versions of Windows, they must be excluded from this GPO using a WMI filter.
PREREQUISITES
Here is a list of prerequisites for completing this guide:
Epiphany Intelligence Platform domain-joined service account
OVERVIEW
In order to create the GPO for use within EIP you will need to follow the steps listed chronologically below:
Step 1: Login to your domain controlled and open Group Policy Management Editor, navigate to: Computer Configuration>Windows Settings>Security Settings>Local Policies>Security Options.
Step 2: Select the “Network access: Restrict clients allowed to make remote calls to SAM.
Step 3: [Check] box for “Define this policy setting”. [Left-Click] “Edit Security…”
Step 4: By default, administrators will have the Remote Access setting to allow, you can choose to edit this setting according to your organizations security policies, but for the purpose of this document we will [Left-Click] Add…, and select the domain joined service account you have created for EIP. Click OK.
Step 5: The security descriptor field will now have the new settings populated, and you can [Left-Click] “Apply”.
Step 6: You can also verify the new settings that will be displayed on the “first” Group Policy Management Editor screen in the prior steps.
For further reading please refer to the Microsoft article in the supplemental resources.
WHAT IS NEEDED FOR INTEGRATION?
To integrate your newly configured dataset into the Epiphany Intelligence Platform you will need to provide the following information within the EIP web interface. The information below will be entered in your Windows AD data source configuration card.
Data Source Name – Choose a name for the Windows AD data source configuration card.
Data Source Owner – Choose your organizational stakeholder for this data source.
Data Source Notes – *Optional* – Add additional information about the data source.
Username – The Windows AD account username you have created
Password – Create a password for the user account listed above
Domain – Fully Qualified Domain Name (FQDN) of the Windows AD data source domain
Domain Controller – FQDN of the Windows AD data source domain controller
Global Catalog – FQDN of the Windows AD data source global catalog
SUPPLEMENTAL RESOURCES
Microsoft. (2021, 12 14). Network access: Restrict clients allowed to make remote calls to SAM. Retrieved from Microsoft Docs:: https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls
LEGAL NOTICE
© Copyright 2022 Epiphany Systems and its affiliates.
The only warranties for products and services of Epiphany Systems and its affiliates and licensees (“Epiphany Systems”) are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. Epiphany Systems shall not be liable for technical or editorial errors or omissions contained herein. The information contained herein is subject to change without notice.
Last updated
