REPORT | MANDIANT Ransomware Protection and Containment Strategies 20
Service Account Logon Restrictions
Organizations should also consider enhancing the security of
domain-based service accounts - to restrict the capability for the
accounts to be used for interactive, remote desktop, and where
possible, network-based logons.
On endpoints where the service account is not required for
interactive or remote logon purposes, Group Policy settings can
be used to enforce recommended logon restrictions for limiting
the exposure of service accounts.
• Computer Configuration > Policies > Windows Settings >
Security Settings > Local Policies > User Rights Assignment
– Deny log on locally (SeDenyInteractiveLogonRight)
– Deny log on through Terminal Services
(SeDenyRemoteInteractiveLogonRight)
Additional recommended logon hardening for service accounts
(on endpoints where the service accounts is not required for
network-based logon purposes):
• Computer Configuration > Policies > Windows Settings >
Security Settings > Local Policies > User Rights Assignment
– Deny access to this computer from the network
(SeDenyNetworkLogonRight)
If a service account is only required to be leveraged on a single
endpoint to run a specific service, the service account can
be further restricted to only permit the account’s usage on a
predefined listing of endpoints.
• Active Directory Users and Computers > Select the Account Tab
– “Log On To” button > Select the proper scope of computers for
access (Fig. 31)
Protected Users Security Group
By leveraging the “Protected Users” security group for privileged
accounts, an organization can minimize various risk factors and
common exploitation methods for exposing privileged accounts
on endpoints.
Beginning with Microsoft Windows 8.1 and Microsoft Windows
Server 2012 R2 (and above), the “Protected Users” security
group was introduced to manage credential exposure within an
environment. Members of this group automatically have specific
protections applied to their accounts, including:
• The Kerberos ticket granting ticket (TGT) expires after 4 hours,
rather than the normal 10-hour default setting.
• No NTLM hash for an account is stored in LSASS since only
Kerberos authentication is used (NTLM authentication is
disabled for an account).
• Cached credentials are blocked. A Domain Controller must be
available to authenticate the account.
• WDigest authentication is disabled for an account, regardless
of an endpoint’s applied policy settings.
• DES and RC4 can’t be used for Kerberos pre-authentication
(Server 2012 R2 or higher); rather Kerberos with AES encryption
will be enforced.
• Accounts cannot be used for either constrained or
unconstrained delegation (equivalent to enforcing the “Account
is sensitive and cannot be delegated” setting in Active Directory
Users and Computers).
To provide Domain Controller-side restrictions for members of
the “Protected Users” security group, the domain functional level
must be Windows Server 2012 R2 (or higher). Microsoft Security
Advisory KB2871997
10
adds support for the protections enforced
for members of the “Protected Users” security group to Windows
7, Windows Server 2008 R2, and Windows Server 2012 systems.
Note: Service accounts (including Managed Service Accounts)
should NOT be added to the “Protected Users” security group — as
authentication will fail.
FIGURE 31. Option to restrict an account to logon to specific endpoints.
10 Microsoft (May 13, 2014). Microsoft Security Advisory: Update to improve credentials protection and management; May 13, 2014.