Logon Restrictions for Privileged Users



Credentials of a user logging onto a machine are often exposed in-memory, allowing malware to steal them and impersonate the user. Privileged users with access to sensitive business data should only connect to secure, trusted machines to minimize identity theft risk. Technical measures exist to enforce this rule, and this Indicator of Exposure verifies their implementation.


To increase the difficulty for attackers and malware to steal privileged identities and their associated permissions, privileged users should only connect to trusted machines. After determining privileged users and trusted machines using a "tier model," implement technical measures to enforce logon restrictions for privileged users during day-to-day operations, even in the event of a mistake.

See Also

User right: Deny log on through Remote Desktop Services (SeDenyRemoteInteractiveLogonRight)

User-Workstations deprecation notice

User right: Deny log on as a batch job (SeDenyBatchLogonRight)

User right: Deny log on as a service (SeDenyServiceLogonRight)

User right: Deny log on locally (SeDenyInteractiveLogonRight)

User right: Deny access to this computer from the network (SeDenyNetworkLogonRight)

Description of Selective Authentication (introduced by Windows 2003)

How selective authentication affects domain controller behavior

Allowed-To-Authenticate extended right

Indicator Details

Name: Logon Restrictions for Privileged Users


Severity: High

MITRE ATT&CK Information:

Tactics: TA0004

Techniques: T1078

Attacker Known Tools

Andrew Robbins (@_wald0), Rohan Vazarkar (@CptJesus), Will Schroeder (@harmj0y): BloodHound

Benjamin Delpy: Mimikatz