Windows 8.1 and Windows Server 2012 R2 come with a new feature called RestrictedAdmin RDP feature in which the credentials are not stored on the remote computer anymore.
I read about many arguments on the internet about weather this is a good security feature or something that can makes you vulnerable to pass-the-hash attacks. In this blog post, i will try to share with you my thoughts.
To start talking about this hot topic, i will start by comparing Interactive Logon vs Network Logon.
- John inputs his credentials to the machine by entering his username and password.
- The machine checks if the credentials are right by contacting a domain controller using (Kerberos by default, or NTLM when kerberos is not available)
- If the domain controller approves that identity, the user is authorized to access the machine and a Single-Sing On (SSO) data is stored on that machine. This can be a Ticket Granting Ticket TGT or NTLM hash of the user password. SSO data is stored in memory and is required to ensure Single Sign On experience for John so he can access network resources without the need to type his credentials over and over.
Network Domain Logon
- So now John logs on to his machine using Interactive Logon and has his SSO data is stored in memory as shown the previous figure.
- When John wants to access a network resources like a remote file share using Network Domain Logon, an SSO token derivative (a Kerberos TGS ticket or a challenge encrypted with the NTLM hash) is used to prove the user’s identity to the target machine.
- The target machine uses the Domain Controller to validate the authenticity of the SSO derivative and to receive authorization data for the user. It’s important to note that the SSO token itself does not leave the user’s machine and specifically, it is not sent to the target machine.
Which one is better?
- From John’s machine perspective, Network Logon is better because when he access a network share, he can do that using Network Logon and his actual SSO data is not sent to the target server, and thus Network Logon reduces the user’s exposure to pass-the-hash attack.
- From the remote server perspective, allowing Network Logon on it means that an attacker that has access to user hash, can use Network Logon to access it. On the other hand, if that server does not allow Network Logon, then pass-the-hash attack is not possible. In other words, a server that does not allow network logon, is not vulnerable to pass-the-hash attack.
How normal RDP connection works (without /RestrictedAdmin)?
Prior to Windows 8.1, the only way to connect and authenticate to a remote computer using RDP was with the Remote Interactive Logon Process.
- John enters his credentials to the RDP client.
- RDP client performs Network Logon to the target server to authorize the John.
- Once John is authorized, the RDP client securely relays the credentials to the target machine over a secure channel.
- The target server uses there credentials to perform an Interactive Logon on behalf of John.
Note: the remote server should gain access to the actual credentials to allow remote desktop connection.
How RestrictedAdmin RDP connection works ?
Using this mode with administrative credentials, RDP will try to interactively logon to the remote server without sending credentials. RestrictedAdmin mode does not at any point send plain text or other re-usable forms of credentials to remote computers.
This means that if an attacker has only the hash of the password, he can access a remote computer using RestrictedAdmin mode as now the actual credentials are not a requirement to establish the connection. While without using RestrictedMode, knowing the actual credentials is a must.
In other words, Network Authentication is used heavily when using RestrictedAdmin RDP, which means that either NTLM or Kerbeors will work by default.
Previously, if you know the admin hash, you can pass-the-hash with psexec tool and take over the remote system if SMB/RPC (ports 445,135,139,,) were exposed. But because many administrators already block these ports leaving only RDP inbound connection allowed, now the attacker can pass-the-hash using the RDP protocol.