The Phantom Credentials of SCCM: Why the NAA Won’t Die

<p>If a Windows machine has ever been an SCCM client, there may be credential blobs for the&nbsp;<a href="https://docs.microsoft.com/en-us/mem/configmgr/core/plan-design/hierarchy/accounts#network-access-account" rel="noopener ugc nofollow" target="_blank">network access account</a>&nbsp;(NAA) on disk.</p> <p>If an Active Directory account has ever been configured as an NAA, there may be credential blobs for that account on Windows hosts in the environment.</p> <p>Stop using NAAs and transition to&nbsp;<a href="https://docs.microsoft.com/en-us/mem/configmgr/core/plan-design/hierarchy/enhanced-http" rel="noopener ugc nofollow" target="_blank">Enhanced HTTP</a>. That&rsquo;s not enough! The credentials may persist on former clients. The NAA accounts should be disabled/removed from Active Directory!</p> <p><a href="https://posts.specterops.io/the-phantom-credentials-of-sccm-why-the-naa-wont-die-332ac7aa1ab9"><strong>Read More</strong></a></p>