Enable RDS RestrictedAdmin mode

Enable for incoming connections:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa
Name: DisableRestrictedAdmin
Type: REG_DWORD
Value: 0

To require for outgoing connections:

  1. Edit the Group Policy and navigate to the following node:
    Computer Configuration\Policies\Administrative Templates\System\Credentials Delegation
  2. Configure the value of “Restrict delegation of credentials to remote servers” to Enabled.

See https://blogs.technet.microsoft.com/srd/2014/06/05/an-overview-of-kb2871997/ for additional security features.

E-mail security

Validation tools:

Configuration: