Disable automatic side-wide client push installation
Client push installation involves the installation of the client software from the primary site server. This method is initiated from the primary site server and can target individual computers, collections of computers, or newly discovered systems that appear in the ConfigMgr database.
The process uses one or more stored configured client push installation account credentials to authenticate to the ADMIN$ share on a remote host, copy the installation files there, and execute the client software setup binary. These accounts must have administrative rights on the target computers to install the client software. If the site server fails to authenticate with any of the configured accounts, it falls back to attempting to authenticate with its domain computer account, the default setting. Each of these authentication attempts may enable NTLM relay opportunities, depending on the configuration.
In ConfigMgr versions 1806+, the site server will attempt to authenticate to the client using Kerberos. However, if this fails, the site server will fallback to NTLM authentication. The "Allow connection fallback to NTLM" setting PREVENT-2 is enabled by default in versions prior to 2207.
Automatic site-wide client push installation can be configured such that the site server will attempt to install the client on any discovered computer. When configured in conjunction with settings that enable NTLM authentication, this setting may allow an attacker to relay NTLM authentication as any of the client push installation account and the site server's domain computer account.
Additionally, we commonly see the client push installation account with much more privilege than it requires. It does NOT require domain administrator privileges, only local administrator on the target computers.
- DETECT-1: Monitor site server domain computer accounts authenticating from another source
- DETECT-3: Monitor client push installation accounts authenticating from anywhere other than the primary site server
- PREVENT-1: Patch site server with KB15599094
- PREVENT-2: Disable Fallback to NTLM
- ELEVATE-2: NTLM relay via automatic client push installation
- ELEVATE-3: NTLM relay via automatic client push installation and AD System Discovery
- Chris Thompson, Coercing NTLM Authentication from SCCM
- Microsoft, Configuration Manager Accounts
- Microsoft, How to deploy clients to Windows computers in Configuration Manager