Remote Desktop Service is one of the best features, to Administrate the server via remotely for IT administrators and developers to perform their day to day activity. However, while login the server remotely, we are using our High privileged accounts. When there is attack on server, there is possibility to lose our credentials.
Microsoft offer a new solution RestrictedAdmin mode, it has been introduced on Windows server 2012 R2 onwards, and it was designed to help protect administrator accounts by ensuring that reusable credentials are not stored in memory on the remote server or computer. This includes scenarios when server administrators use admin credentials for remote PC support or when domain admin accounts are used to connect remotely to member servers. Their credentials will not be available, for any malicious or malware to attack.
Pre Requires for Client Computers:
Microsoft offer a new solution RestrictedAdmin mode, it has been introduced on Windows server 2012 R2 onwards, and it was designed to help protect administrator accounts by ensuring that reusable credentials are not stored in memory on the remote server or computer. This includes scenarios when server administrators use admin credentials for remote PC support or when domain admin accounts are used to connect remotely to member servers. Their credentials will not be available, for any malicious or malware to attack.
How Typical RDP process works:
By
default, Remote Desktop is using Remote Interactive logon process to
authenticate: while RDP to the server, the user’s credentials are sent (over a
secure channel) to the remote device and if the login successful then the user can
access the remote desktop.
Once
User RDP the server, the server will register successful logon event with Logon
type: 10 (Type 10 means Remote Interactive logon).
If
you check the server cached credentials, you could see the NTLM hash on the
memory. Even if we leave the server and our session become stale, the hash
won’t leave the server. Rebooting the target device after use is the only way
to ensure that credentials from stale or leaked logon sessions are removed
completely from memory.
How RestrictedAdmin RDP
connection works:
Microsoft introduced new feature restrictedadmin
from window server 2012 R2 onwards. Using restrictedadmin mode, RDP is using a
network logon process, instead of remote interactive. Using network logon
ensures that the user’s credentials are never sent to the target device,
therefore they are not available for theft.
To use restrictedadmin mode the remote target, need to support it
and the below switch will take to the restrictedadmin console.
mstsc /v:<server name> /restirctedAdmin
A view from the security event log after
using restirctedAdmin switch:
And now if we capture the Server credentials dump, system reveals
that the user token is there, but it’s populated with the target device
computer account details!
When we are trying to access other network resources while
connected to the remote session we can see “access denied” errors, and that’s
because we are authenticating (and try to access resources) using the computer
account, not the user account.
Restricted admin is disabled by default,
and you need to explicitly add the switch /restrictedAdmin to mstsc command line
and enable it on the target device.
Remote
Credential Guard
Remote Credential Guard enables you to protect your privileged credentials and
access network resources from within the remote session.
To use the remote Credential Guard mode the remote target, and you
need to use the following command line:
mstsc /v:<server name>
/remoteguard
Windows
Defender Remote Credential Guard blocks NTLM (allowing only Kerberos), prevents
Pass-the-Hash (PtH) attacks, and prevents use of credentials after
disconnection.
Comparison
between Remote Desktop security modes:
When we are trying to open RDP on
client computer to perform remote administration, by default RDP connection
will initialize. So, if we want to force Client RDP request to use
/RestrictedAdmin mode, enable the below GPO to enforce the settings.
GPO setting is located under the Administrative
Templates under Computer Configuration > System > Credential Delegation
> Restrict delegation of credentials to remote servers. Enable the Policy.
How to Enable RDP on Target Server:
Once client initializes the secure RDP
session, our target device should accept the request, in which the below
registry key must be pushed to the servers. Either manually or GPO.
Browse to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa
Add Registry Key DisableRestrictedAdmin Type: REG_DWORD Value: 0
Add Registry Key DisableRestrictedAdmin Type: REG_DWORD Value: 0
Limitation
of Secure RDP session:
Rstrictedadmin mode you can’t connect to other network resources as
its not passing the credentials.
Ref: The below Article help us to compare all RDP sessions feature
and implementations. Please have them check to understand more about the Secure
RDP.
**********************Happy Learning********************
Stay ahead of your competitors by providing qualified helpdesk support 24x7. OffsiteNOC provides full remote server support for graveyard shifts, due to time difference our engineers working on day shift can be more productive, more attentive, more reliable and more effective than a person working on night shift. Your tools your branding, extend your helpdesk with qualified support persons and at affordable price.
ReplyDeleteThanks for sharing important article with us.
ReplyDeleteOrbi admin login