Detections
Analytics

Logon Restrictions for Privileged Users

high

Language:

Description

Credentials of a user logging onto a machine are often exposed in-memory, allowing malware to steal them and impersonate the user. Privileged users with access to sensitive business data should only connect to secure, trusted machines to minimize identity theft risk. Technical measures exist to enforce this rule, and this Indicator of Exposure verifies their implementation.

Solution

To increase the difficulty for attackers and malware to steal privileged identities and their associated permissions, privileged users should only connect to trusted machines. After determining privileged users and trusted machines using a "tier model," implement technical measures to enforce logon restrictions for privileged users during day-to-day operations, even in the event of a mistake.

See Also

User-Workstations deprecation notice

User right: Deny log on as a batch job (SeDenyBatchLogonRight)

User right: Deny log on as a service (SeDenyServiceLogonRight)

User right: Deny log on locally (SeDenyInteractiveLogonRight)

User right: Deny log on through Remote Desktop Services (SeDenyRemoteInteractiveLogonRight)

User right: Deny access to this computer from the network (SeDenyNetworkLogonRight)

Description of Selective Authentication (introduced by Windows 2003)

How selective authentication affects domain controller behavior

Allowed-To-Authenticate extended right

Indicator Details

Name: Logon Restrictions for Privileged Users

Codename: C-ADMIN-RESTRICT-AUTH

Severity: High

MITRE ATT&CK Information:

Attacker Known Tools

Benjamin Delpy: Mimikatz

Andrew Robbins (@_wald0), Rohan Vazarkar (@CptJesus), Will Schroeder (@harmj0y): BloodHound