Enable 'Apply UAC restrictions to local accounts on network logons'

With User Account Control enabled, filtering the privileged token for built-in administrator accounts will prevent the elevated privileges of these accounts from being used over the network.

Table of Contents

Potential risk

A compromised local administrator account can provide means for an attacker to move laterally between domain systems.

Remediation options

Option 1 - Set the following registry value:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy

To the following REG_DWORD value: 0

Option 2 - Set the following Group Policy:
Computer Configuration\Policies\Administrative Templates\MS Security Guide\Apply UAC restrictions to local accounts on network logons

To the following value: Enabled