How can defenders mitigate Pass the Hash attacks that leverage Restricted Admin mode?

Defenders should focus on preventing the initial theft of NTLM hashes through credential harvesting and lateral movement. While Restricted Admin mode was designed to enhance security by not exposing credentials, it can be abused for Pass the Hash. The best defense is to enforce strong authentication practices, restrict administrative privileges, and monitor for suspicious RDP connections using `/restrictedadmin`. Microsoft provides guidance on this in their security advisory (see the original article for the link). Additionally, enabling Restricted Admin mode itself is not a vulnerability—it's a feature that, when combined with proper hash protection, improves security.