SV-92867r1_rule
V-78161
SRG-OS-000480-GPOS-00227
WPAW-00-002500
CAT II
10
Enable RestrictedAdmin mode or Remote Credential Guard on high-value systems.
On target systems (high-value assets), configure the following registry value:
- HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa
- Name: DisableRestrictedAdmin
- Type: REG_DWORD
- Value: 0
On PAW systems:
Configure the policy value for Computer Configuration >> Administrative Templates >> System >> Credentials Delegation "Restrict delegation of credentials to remote servers" to "Enabled".
Starting with v1607 of Windows 10, this setting also requires selection of an option for "Use the following restricted mode:" which includes the following:
Prefer Remote Credential Guard (v1703 - Restrict Credential Delegation)
Require Remote Credential Guard
Require Restricted Admin
In the Registry Editor of the remote target system (high-value assets), verify the following registry key has a value of "0":
- HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa
- Name: DisableRestrictedAdmin
- Type: REG_DWORD
- Value: 0
If restricted remote administration has not been enabled on the target system, this is a finding.
In the Registry Editor of the PAW system, verify the following registry key has a value of "1":
HKLM\Software\Policies\Microsoft\Windows\CredentialsDelegation
Name: RestrictedRemoteAdministration
Type: REG_DWORD
Value: 1
If restricted remote administration has not been enabled on the PAW and is not enforced by policy, this is a finding.
V-78161
False
WPAW-00-002500
In the Registry Editor of the remote target system (high-value assets), verify the following registry key has a value of "0":
- HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa
- Name: DisableRestrictedAdmin
- Type: REG_DWORD
- Value: 0
If restricted remote administration has not been enabled on the target system, this is a finding.
In the Registry Editor of the PAW system, verify the following registry key has a value of "1":
HKLM\Software\Policies\Microsoft\Windows\CredentialsDelegation
Name: RestrictedRemoteAdministration
Type: REG_DWORD
Value: 1
If restricted remote administration has not been enabled on the PAW and is not enforced by policy, this is a finding.
M
3283