I have a software that is used for monitoring user logins. In the software it uses a SAMR request to get user groups for allowing users in an out of the machine. When the software reaches out with a SAMR request for the groups it looks like it is getting blocked by the Domain Controller. I think maybe from the firewall because if I install it on the Domain Controller, it succeeds.
How can I test the SAMR request and see if I can get logging on it or what Firewall rules do I need to create to allow SAMR to be allowed to complete?
Check the RestrictRemoteSAM registry value. The default settings for that were changed in Windows 10 version 1607 and Windows Server 2016.
It may also be a policy setting "Network access: Restrict clients allowed to make remote calls to SAM"
https://blog.netwrix.com/2022/11/18/making-internal-reconnaissance-harder-using-netcease-and-samri1o/
https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls
Note that SAMR uses tcp/445 as with any other file share, so this typically is not something the host-based firewall would deal with. Additionally, SAMR has a high affinity for a single domain controller (PDCe), so using the legacy SAMR protocol doesn't scale and may cause other difficult to solve problems that linger. SAMR has one very specific use case, and beyond that, the only usage I have seen over the years has been either inadvertent (that causes huge problems), and threat actors exploiting vulnerabilities in ancient protocols.