28 December 2024
·

Protected Users Group: Security Restrictions and Operational Impact

Prerequisites

  • Windows Server 2012 R2 or newer required for implementation
  • Domain functional level must support Protected Users features
  • Careful testing recommended before widespread deployment

Core Security Restrictions

  • Enforces Kerberos-only authentication
  • Disables credential caching and delegation
  • Kerberos tickets expire after 4 hours
  • Blocks WDigest and NTLM protocols
  • Prevents cleartext password storage in LSASS
  • CredSSP disabled
  • Protection against Pass-the-Hash and Pass-the-Ticket attacks
  • Credentials not stored in memory in reusable format

Operational Limitations

  • Cannot join machines to domain
  • Direct RDP to Domain Controllers blocked from non-domain workstations
  • Service accounts and scheduled tasks execution restricted
  • No credential caching or "Remember my credentials" option
  • Session disconnection requires complete re-authentication
  • Legacy authentication methods are completely blocked

For Domain Management:

  • Maintain a dedicated non-Protected Users account for domain joins
  • Use domain-joined management workstations for administration
  • Start implementation with high-privilege accounts first

For Remote Access:

  • Implement a jump server architecture
  • Ensure all management tools support Kerberos authentication
  • Consider implementing Multi-Factor Authentication (MFA)

For Daily Administration:

  • Create separate privileged accounts for specific administrative tasks
  • Document clear procedures for operations requiring NTLM authentication
  • Use modern administration tools with Kerberos support
  • Provide user training on security best practices
  • Monitor and document any authentication issues

Best Practices for Implementation

  • Start with a pilot group of high-privilege accounts
  • Implement gradually to identify potential issues
  • Document all changes and impacts
  • Maintain regular user awareness and training
  • Include Protected Users in overall security strategy
  • Regular security monitoring and updates
  • Keep systems and applications up to date