AnsweredAssumed Answered

Restricted Admin Setting

Question asked by Grant Johnson on Jul 18, 2014
Latest reply on Jul 18, 2014 by Qsingh

I had a customer inquire about a recent post and the need to be able to run a policy compliance scan to determine if the Restrict Admin setting in windows is set.  A control that would detect Status of Restricted Admin setting in Windows would do this I believe based on my reading - A simple registry check hopefully.   Do we have a UDC for this?

Technet Microsoft SB
https://technet.microsoft.com/security/advisory/2871997

Attack Vector - reason For the need for detection
Attacker uses a publicly-available free penetration testing tool (such as WCE or Mimikatz) that steals an authentication component, named NTLM hash, from the employee’s device. The NTLM hash resides by default on all devices that connect to enterprise resources.
Since this authentication component is known to be a security hazard which leads to identity theft attacks, through the notorious Pass-the-Hash (PtH) attack, protections have been placed to prevent its misuse. For example, many enterprises try to limit the use Active Directory’s older – yet still enabled by default –authentication protocol (i.e. NTLM). In other scenarios, enterprises log and audit NTLM activity.
The attacker forces the client to authenticate to Active Directory using a weaker encryption protocol. At this stage, the attacker uses the Active Directory flaw where the encryption protocol relies on the NTLM hash.
This activity is not logged in system and 3rd party logs- even those that specifically log NTLM activity. As a result, no alerts, or forensic data, ever indicate that an attack takes place.
The attacker proves its so-called legitimate identity to Active Directory using the weaker authentication protocol. Consequently, the attacker is able to:
Authenticate themselves to restricted services
Change the password of the victim

See SCMagazine article

http://www.scmagazine.com/active-directory-flaw-opens-enterprise-services-to-unauthorized-access/article/361017/?DCMP=EMC-SCUS_Newswire&spMailingID=9031988&spUserID=OTg2ODEwMjUyNzgS1&spJobID=341316514&spReportId=MzQxMzE2NTE0S0

Outcomes