KGRKJGETMRETU895U-589TY5MIGM5JGB5SDFESFREWTGR54TY
Server : Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12
System : Windows NT SERVER-PC 10.0 build 26200 (Windows 11) AMD64
User : ServerPC ( 0)
PHP Version : 8.2.12
Disable Function : NONE
Directory :  C:/Windows/PolicyDefinitions/en-US/

Upload File :
current_dir [ Writeable ] document_root [ Writeable ]

 

Current File : C:/Windows/PolicyDefinitions/en-US/sam.adml
<?xml version="1.0" encoding="utf-8"?>
<!--  (c) 2006 Microsoft Corporation  -->
<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">
  <displayName>SAM Settings</displayName>
  <description>Configuration settings for the Security Account Manager</description>
  <resources>
    <stringTable>
      <string id="SAM">SAM</string>
      <string id="SecurityAccountManager">Security Account Manager</string>
      <string id="SamNGCKeyROCAValidation">Configure validation of ROCA-vulnerable WHfB keys during authentication</string>
      <string id="SamNGCKeyROCAValidationNone">Ignore ROCA-vulnerable WHfB keys</string>
      <string id="SamNGCKeyROCAValidationAudit">Audit ROCA-vulnerable WHfB keys on use</string>
      <string id="SamNGCKeyROCAValidationBlock">Block ROCA-vulnerable WHfB keys on use</string>
      <string id="SamNGCKeyROCAValidation_explain">This policy setting allows you to configure how domain controllers handle Windows Hello for Business (WHfB) keys that are vulnerable to the "Return of Coppersmith's attack" (ROCA) vulnerability.

For more information on the ROCA vulnerability, please see:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15361

https://en.wikipedia.org/wiki/ROCA_vulnerability

If you enable this policy setting the following options are supported:

Ignore: during authentication the domain controller will not probe any WHfB keys for the ROCA vulnerability.

Audit: during authentication the domain controller will emit audit events for WHfB keys that are subject to the ROCA vulnerability (authentications will still succeed).

Block: during authentication the domain controller will block the use of WHfB keys that are subject to the ROCA vulnerability (authentications will fail).

This setting only takes effect on domain controllers.

If not configured, domain controllers will default to using their local configuration. The default local configuration is Audit.

A reboot is not required for changes to this setting to take effect.

Note: to avoid unexpected disruptions this setting should not be set to Block until appropriate mitigations have been performed, for example patching of vulnerable TPMs.

More information is available at https://go.microsoft.com/fwlink/?linkid=2116430.
</string>
      <string id="SamrChangeUserPasswordApiPolicy">Configure SAM change password RPC methods policy</string>
      <string id="SamrChangeUserPasswordApiPolicyBlockAll">Block all change password RPC methods</string>
      <string id="SamrChangeUserPasswordApiPolicyAllowSecure">Allow strong encryption change password RPC method only</string>
      <string id="SamrChangeUserPasswordApiPolicyAllowAll">Allow all change password RPC methods</string>
      <string id="SamrChangeUserPasswordApiPolicyExplain">This policy enables an administrator to configure the remote usage of change user password RPC methods in security account manager(SAM).

When the policy is enabled, following options are supported:

Block all change password RPC methods: block remote usage of all the security account manager(SAM) change password RPC methods.

Allow strong encryption change password RPC method: allow remote use of the change password RPC method which uses strong encryption and blocks remote use of weak encryption methods.

Allow all change password RPC methods: allows remote usage of all the change password RPC methods irrespetive of the encryption.

Default policy: 1. Domain member computers - block all change password RPC methods.
                2. Domain controllers - allow strong encryption change password RPC method.

Note: If the policy is disabled or not configured, the machine will use the default policy.
</string>
    </stringTable>
    <presentationTable>
      <presentation id="SamNGCKeyROCAValidation">
        <dropdownList refId="SamNGCKeyROCAValidation_Settings" noSort="true" defaultItem="2">Options for handling ROCA-vulnerable WHfB keys:</dropdownList>
      </presentation>
      <presentation id="SamrChangeUserPasswordApiPolicy">
        <dropdownList refId="SamrChangeUserPasswordApiPolicySettings" noSort="true" defaultItem="1">Options for Sam password change RPC method policy:</dropdownList>
      </presentation>
    </presentationTable>
  </resources>
</policyDefinitionResources>

Anon7 - 2021