Jun 24 2020 09:57 AM
Jun 24 2020 09:57 AM
For the SAM-R, we understand the following is required "Azure ATP lateral movement path detection relies on queries that identify local admins on specific machines. These queries are performed with the SAM-R protocol, using the Azure ATP Service account created during Azure ATP installation.
My question is around the SAM-R process from the sensors to the domain members and network access rules (FW). Our AD site is a standard hub and spoke with several dozen branch office locations.
What determines which ATP sensor is used to queries a domain members?
Does the Sensor only perform the SAMR discovery against the domain members in its AD site or some other discovery mechanism?
Does each domain sensor need SAM-R/SMB access to ALL domain members?
AD-Branch1 server only requires TCP445 to networks in Branch1.
Jun 24 2020 12:53 PM
@Bryan Bishop Some clarifications:
- the account use to authenticate with those SAMR requests is not the service account , but the configured AD/gmsa account in th eportal.
A sensor might issue the inquiry to any endpoint that contacted the DC it is installed on, no matter where it is located.
So all sensors need port access to all endpoints in the network.
Jun 24 2020 03:53 PM
@Eli Ofek Thanks for the reply!
Correct, the gMSA will be used.
We have a highly segmented environment. A DC in BO#1 is not permitted to access a domain member in BO#2, firewall rules. We to allow domain members in a site access to the DC in that site and the DCs in our hub site. If I understand your reply, we won't have any issues since a DC in BO#2 will never authenticate a endpoint in BO#3, no firewall rules.
In a multiple domain forest, the sensors only perform this SAMR function within the DC's server domain, right?
Jun 25 2020 11:14 AM
Perhaps I'm not explaining myself correctly.
CL1 resides in BO1 and has network rules to authenticate to BODC1, BHDC1,BHDC2,BHDC3 but will not have network access to BODC2. Therefore, CL1 will never authenticate to BODC1.
In this scenario, you are stating that BODC1 still requires network access to CL1 located in BO1?