Thursday, 5 December 2019

Secure Remote Desktop Connection

                       Remote Desktop Service is one of the best features, to Administrate the server via remotely for IT administrators and developers to perform their day to day activity. However, while login the server remotely, we are using our High privileged accounts. When there is attack on server, there is possibility to lose our credentials.

                    Microsoft offer a new solution RestrictedAdmin mode, it has been introduced on Windows server 2012 R2 onwards, and it was designed to help protect administrator accounts by ensuring that reusable credentials are not stored in memory on the remote server or computer. This includes scenarios when server administrators use admin credentials for remote PC support or when domain admin accounts are used to connect remotely to member servers. Their credentials will not be available, for any malicious or malware to attack. 

How Typical RDP process works:

            By default, Remote Desktop is using Remote Interactive logon process to authenticate: while RDP to the server, the user’s credentials are sent (over a secure channel) to the remote device and if the login successful then the user can access the remote desktop.

Once User RDP the server, the server will register successful logon event with Logon type: 10 (Type 10 means Remote Interactive logon).

If you check the server cached credentials, you could see the NTLM hash on the memory. Even if we leave the server and our session become stale, the hash won’t leave the server. Rebooting the target device after use is the only way to ensure that credentials from stale or leaked logon sessions are removed completely from memory.
How RestrictedAdmin RDP connection works:
Microsoft introduced new feature restrictedadmin from window server 2012 R2 onwards. Using restrictedadmin mode, RDP is using a network logon process, instead of remote interactive. Using network logon ensures that the user’s credentials are never sent to the target device, therefore they are not available for theft.

To use restrictedadmin mode the remote target, need to support it and the below switch will take to the restrictedadmin console. 
mstsc /v:<server name> /restirctedAdmin
A view from the security event log after using restirctedAdmin switch:

And now if we capture the Server credentials dump, system reveals that the user token is there, but it’s populated with the target device computer account details!
When we are trying to access other network resources while connected to the remote session we can see “access denied” errors, and that’s because we are authenticating (and try to access resources) using the computer account, not the user account.
Restricted admin is disabled by default, and you need to explicitly add the switch /restrictedAdmin to mstsc command line and enable it on the target device.
 Remote Credential Guard
Remote Credential Guard enables you to protect your privileged credentials and access network resources from within the remote session.
To use the remote Credential Guard mode the remote target, and you need to use the following command line:
mstsc /v:<server name> /remoteguard


Windows Defender Remote Credential Guard blocks NTLM (allowing only Kerberos), prevents Pass-the-Hash (PtH) attacks, and prevents use of credentials after disconnection.

Comparison between Remote Desktop security modes:


Pre Requires for Client Computers:

When we are trying to open RDP on client computer to perform remote administration, by default RDP connection will initialize. So, if we want to force Client RDP request to use /RestrictedAdmin mode, enable the below GPO to enforce the settings.
GPO setting is located under the Administrative Templates under Computer Configuration > System > Credential Delegation > Restrict delegation of credentials to remote servers. Enable the Policy.

How to Enable RDP on Target Server:

Once client initializes the secure RDP session, our target device should accept the request, in which the below registry key must be pushed to the servers. Either manually or GPO.
Browse to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa
Add Registry Key DisableRestrictedAdmin Type: REG_DWORD Value: 0


Limitation of Secure RDP session:
Rstrictedadmin mode you can’t connect to other network resources as its not passing the credentials.
Ref: The below Article help us to compare all RDP sessions feature and implementations. Please have them check to understand more about the Secure RDP.

**********************Happy Learning********************


2 comments:

  1. Stay ahead of your competitors by providing qualified helpdesk support 24x7. OffsiteNOC provides full remote server support for graveyard shifts, due to time difference our engineers working on day shift can be more productive, more attentive, more reliable and more effective than a person working on night shift. Your tools your branding, extend your helpdesk with qualified support persons and at affordable price.

    ReplyDelete
  2. Thanks for sharing important article with us.
    Orbi admin login

    ReplyDelete