Skip to content

Restricted remote administration must be enabled for high-value systems.

An XCCDF Rule

Description

<VulnDiscussion>Restricted remote administration features, RestrictedAdmin mode, and Remote Credential Guard for Remote Desktop Protocol (RDP), are an additional safeguard against "pass the hash" attacks, where hackers attempt to gain higher administrative privileges from a single compromised machine. Restricted remote administration protects administrator accounts by ensuring that reusable credentials are not stored in memory on remote devices that could potentially be compromised. When restricted remote administration is implemented, the local RDP service tries to log on to the remote device using a network logon, so the user's credentials are not sent across the network. Therefore, if the high-value IT resource is compromised, the credentials of the administrator connecting to the IT resource from the PAW are not compromised.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID
SV-243464r921975_rule
Severity
Medium
References
Updated



Remediation - Manual Procedure

Enable RestrictedAdmin mode or Remote Credential Guard on high-value systems.

On target systems (high-value assets), configure the following registry value:

- HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa
- Name: DisableRestrictedAdmin