PRIMARY CATEGORY → WINDOWS MOVEMENT
Restricted Admin Mode
Summary
DisableRestrictedAdmin
TL;DR
Credentials are not stored in the Remote Machine (LSASS.exe’s memory) when authenticating via RDP (Logon Type 10 - RemoteInteractive) → Credential Delegation
Disabled by default
Default Value → Value not created
It prevents the Credential Theft not using the Standard Authentication Method carried out by LSASS.exe on the remote machine
I.e., when authenticating via RDP (Logon Type 10 - RemoteInteractive), the credentials and sensitive information, such as NTLM Hashes, Kerberos Keys, Kerberos Tickets (TGTs and TGSs), Kerberos Session key, and so on, are stored in the memory space of the LSASS.exe process
Therefore, if an attacker has compromised that remote machine, he could extract this sensitive information by dumping the LSASS.exe’s memory space or by reading/writing to it
This could allow pivoting or lateral movement using techniques such as PtH, PtK, OverPass the Hash or PtT
So, this directive avoids storing credentials on the remote system when there is a RemoteInteractive Authentication (Logon Type 10)
Important
if the Restricted Admin Mode is enabled on the remote host, an RDP client can only establish a remote connection if →
❶ The User’s Logon Session on the client already holds valid credentials (NTLM Hash, Kerberos Tickets…)
❷ The user is member of the Administrators Group on the target machine
Check the Value of DisableRestrictedAdmin
Reg Query
reg query HKLM\SYSTEM\CurrentControlSet\Control\Lsa\ | findstr /I 'DisableRestrictedAdmin'Get-ItemProperty
(Get-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Lsa").DisableRestrictedAdminEnable DisableRestrictedAdmin
Reg Add
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v DisableRestrictedAdmin /t REG_DWORD /d 0 /fSet-ItemProperty
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Name "DisableRestrictedAdmin" -Value 0 -Force