These Microsoft Windows registry settings will prevent attackers from scheduling tasks that will hide their activities or gain unauthorized access. Credit: Thinkstock / Microsoft Attackers often use tasks as a means to hide their tracks. They might also use the ability to run tasks with different user rights to gain more access. Earlier, I recommended that you set up auditing to track tasks being set. Now I recommend you harden a setting on your workstations to prevent task scheduling in the first place.Below are the Microsoft Defender Advanced Threat Protection (ATP) recommended actions: Susan BradleyWindows Defender ATP recommendationsThe “Domain controller: Allow server operators to schedule tasks” setting determines whether scheduled tasks are forced to run under the context of the authenticated account instead of allowing them to run as SYSTEM. Disabling this setting affects only the ability to schedule jobs using the AT command and does not affect tasks set using Task Scheduler. As noted by blogger Randy Franklin Smith, “Unlike Scheduled Tasks which require you to specify the credential under which the task will run, AT jobs run under the authority of whatever account the AT service runs, which is SYSTEM by default. Non-administrators who can schedule AT commands thus have a means to elevate their privileges. This policy controls whether members of the local Server Operators group can schedule AT jobs. If disabled, only administrators can.” So, if you haven’t done so already, I recommend setting the following value using registry. Set the following registry value to 0:HKLMSYSTEMCurrentControlSetControlLsaSubmitControl The SubmitControl key was not on my machine, so you might need to add it. To do so, go to the Registry Hive: HKEY_LOCAL_MACHINE, then to the registry path: SystemCurrentControlSetControlLSA. Add the value name “SubmitControl” as a REG_DWORD of 0.If you need to set this via Group Policy, go to “Computer Configuration” > “[Policies]” > “Windows Settings” > “Security Settings” > “Local Policies”. Under Security Options, set “Domain Controller: Allow server operators to schedule tasks” to disabled. Susan BradleySetting the value in Group PolicyUsing tasks to hide an adversarial activity is a common tool. As noted on the Mitre ATT&CK site, “An adversary may use task scheduling to execute programs at system startup or on a scheduled basis for persistence, to conduct remote execution as part of lateral movement, to gain system privileges, or to run a process under the context of a specified account.”Persistent threat actors often use task scheduling to target vertical industries. Phishing emails are used to enter the systems and then set the task to be run at a later date. Setting this value ensures that attackers have one less methodology to set a task in your systems.Enable LSA protectionAnother recommended setting is to Enable LSA (Local Security Authority) protection. This protects against pass the pass-the-hash or Mimikatz-style attacks. Susan BradleyEnable LSA protectionThis requires a registry key to be set: HKLMSYSTEMCurrentControlSetControlLsaRunAsPPLSet the following to a value of 1. First, press the Windows key to go to the Start screen and enter “regedit”. Right-click regedit in the search results and click “Run as administrator” at the bottom of the screen.In the left pane of Registry Editor, expand HKEY_LOCAL MACHINE > SYSTEM > CurrentControlSet > Control > Lsa. In the right pane, right-click an area of empty space and select “New > DWORD (32-bit) Value” from the menu.In the new value box, type “RunAsPPL” and press enter. Now double-click the new RunAsPPL value. In the Value data box, type “1” and press “OK”. Close Registry Editor and restart the computer. Reboot the computer to have it take effect. Susan BradleyEnter the value in the Windows registryAttackers often target this process to harvest credentials using such tools as Mimikatz and perform pass-the-hash attacks. If you have plug-ins in your environment, you may need to set the value to “audit” before you fully enable it to test for the impact in your network.As Mitre noted:“On Windows 8.1 and Server 2012 R2, enable LSA Protection by setting the registry key HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlLsaRunAsPPL to dword:00000001. LSA Protection ensures that LSA plug-ins and drivers are only loaded if they are digitally signed with a Microsoft signature and adhere to the Microsoft Security Development Lifecycle (SDL) process guidance. On Windows 10 and Server 2016, enable Windows Defender Credential Guard to run lsass.exe in an isolated virtualized environment without any device drivers. Ensure safe DLL search mode is enabled HKEY_LOCAL_MACHINESystemCurrentControlSetControlSession ManagerSafeDllSearchMode to mitigate risk that lsass.exe loads a malicious code library.”Take the time to investigate if you have protected yourself against Mimikatz and pass-the-hash techniques by reviewing these settings. Related content news analysis Attackers breach US government agencies through ColdFusion flaw Both incidents targeted outdated and unpatched ColdFusion servers and exploited a known vulnerability. By Lucian Constantin Dec 06, 2023 5 mins Advanced Persistent Threats Advanced Persistent Threats Advanced Persistent Threats news BSIMM 14 finds rapid growth in automated security technology Embrace of a "shift everywhere" philosophy is driving a demand for automated, event-driven software security testing. By John P. Mello Jr. Dec 06, 2023 4 mins Application Security Network Security news Almost 50% of organizations plan to reduce cybersecurity headcounts: Survey While organizations are realizing the need for knowledgeable teams to address unknown threats, they are also looking to reduce their security headcount and infrastructure spending. By Gagandeep Kaur Dec 06, 2023 4 mins IT Jobs Security Practices feature 20 years of Patch Tuesday: it’s time to look outside the Windows when fixing vulnerabilities After two decades of regular and indispensable updates, it’s clear that security teams need take a more holistic approach to applying fixes far beyond the Microsoft ecosystem. By Susan Bradley Dec 06, 2023 6 mins Patch Management Software Threat and Vulnerability Management Windows Security Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe