question

DMHCyberSecurity-8742 avatar image
0 Votes"
DMHCyberSecurity-8742 asked Dmf10e-1192 commented

Security Setting : Restrict delegation of credentials to remote servers

Working with a Client at the moment who have added the above security setting and recently added some 2016 machines. The GPO setting is using option 3 in this list however when attempting to initiate a connection using MSTSC I receive a CredSSP encryption Oracle remediation error message.

Restrict Credential Delegation
Registry Hive

HKEY_LOCAL_MACHINE

Registry Path

Software\Policies\Microsoft\Windows\CredentialsDelegation

Value Name

RestrictedRemoteAdministrationType

Value Type

REG_DWORD

Value

3

Require Remote Credential Guard
Registry Hive

HKEY_LOCAL_MACHINE

Registry Path

Software\Policies\Microsoft\Windows\CredentialsDelegation

Value Name

RestrictedRemoteAdministrationType

Value Type

REG_DWORD

Value

2

Require Restricted Admin
Registry Hive

HKEY_LOCAL_MACHINE

Registry Path

Software\Policies\Microsoft\Windows\CredentialsDelegation

Value Name

RestrictedRemoteAdministrationType

Value Type

REG_DWORD

Value

1


I have added the registry key to the destination and host :

DWORD = DisableRestrictedAdmin but cannot connect due to the CredSSH error, on a 2016 machine I can change the sub setting in PreProd to 'Require Restricted Admin' and the connection completes however in production this setting is set by GPO that I do not have access to see or change so was wondering if there are any other Admin's out there that are having this issue and if there is a resolution that does not reduce the security.

windows-group-policy
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

VickyWang-MFST avatar image
0 Votes"
VickyWang-MFST answered
  1. AD team can only help to see whether the GPO is applied. If the registry key pushed by the GPO has been applied, AD team cannot answer why the registry is not effective.

Related GPO references are as follows;

https://getadmx.com/?Category=Windows_10_2016&Policy=Microsoft.Policies.CredentialsSSP::AllowSavedCredentials

Best Regards,

Vicky

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

VickyWang-MFST avatar image
0 Votes"
VickyWang-MFST answered

Hi,


Just checking in to see if the information provided was helpful.

Please let us know if you would like further assistance.


Best Regards,
Vicky

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DMHCyberSecurity-8742 avatar image
0 Votes"
DMHCyberSecurity-8742 answered Dmf10e-1192 commented

Hi Vicky

Unfortunately no we are looking into this further, it seems to stem from the Different OS levels and how the options are configured in the registry keys. I am going to be working with the AD team and GPO owners in an effort to understand what setting they can use to allow a secure options to this.

Thanks

Darren

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

I recently came across the same issue. Were you able to get it figured out? For me, I was using IP, but it required FQDN once Credential Guard is enabled.

0 Votes 0 ·
VickyWang-MFST avatar image
0 Votes"
VickyWang-MFST answered

Hi,


Just checking in to see if the information provided was helpful.

Please let us know if you would like further assistance.


Best Regards,

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.