Occasional Contributor

Hi everyone.

Context:

One of the AATP prerequisites is the SAM-R GPO.

https://docs.microsoft.com/en-us/azure-advanced-threat-protection/install-atp-step8-samr

The link above describes how the gpo should be configured.

However, the documentation is ambiguous on multiple aspects.

A note posted on this page

https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network...

tells you that if you are configuring this GPO, you might break OAB (if you are running Exchange 2013/2016 in your environment).

 

There are some fixes proposed:

https://support.microsoft.com/en-us/help/4055652/access-checks-fail-because-of-authz-access-denied-e...

- unlink the gpo (that is required for AATP) and probably loose LMP

- configure the gpo to filter out domain controllers, and allow also exchange server groups.

- hardest one: implement policy in audit mode, identify the apps using AuthZ and then add the required accounts in the allowed list.

If you have other applications using AuthZ, those might stop working...

 

With the GPO enabled I can confirm it breaks building OAB in my lab.

I can also confirm that creating a GPO from a w2016 machine, and applying it to w2012 machines, the settings are there (checked with remote registry from a W2016 machine)

 

I can also confirm that not implementing the GPO, I still see some lateral movement paths built (at lease in the reports), but not for all the objects...

 

In the use case where you have windows 2012, 2012 r2, 2016, exchange 2016, and windows 10 clients in the environment, what is Microsoft's AATP product team recommendation to have LMP available without breaking anything?

We support Ukraine and condemn war. Push Russian government to act against war. Be brave, vocal and show your support to Ukraine. Follow the latest news HERE