Disallow WinRM from storing RunAs credentials

Information

This policy setting allows you to manage whether the Windows Remote Management (WinRM) service will not allow RunAs credentials to be stored for any plug-ins.

If you enable this policy setting the WinRM service will not allow the RunAsUser or RunAsPassword configuration values to be set for any plug-ins. If a plug-in has already set the RunAsUser and RunAsPassword configuration values the RunAsPassword configuration value will be erased from the credential store on this computer.

If you disable or do not configure this policy setting the WinRM service will allow the RunAsUser and RunAsPassword configuration values to be set for plug-ins and the RunAsPassword value will be stored securely.

If you enable and then disable this policy settingany values that were previously configured for RunAsPassword will need to be reset.

Solution

Policy Path: Windows Components\Windows Remote Management (WinRM)\WinRM Service
Policy Setting Name: Disallow WinRM from storing RunAs credentials

See Also

https://techcommunity.microsoft.com/t5/microsoft-security-baselines/windows-11-version-23h2-security-baseline/ba-p/3967618

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-6(10)

Plugin: Windows

Control ID: 235d401c16b538cf08256ff4e6c5f7cd1f34acf3ebd09cffec38797113974cd9