Windows 8.1 Security Improvements – RestrictedAdmin RDP

Windows 8.1 and also Windows 2012 R2,  come with many security improvements. My favorite feature is related to RDP as i usually use RDP to administer all servers beside PowerShell.

 This measure is meant to enhance Windows credential protection against attacks such as Pass-the-hash attacks.

The new feature is called (Restricted Admin Mode for RDP).  Usually when you connect to a remote computer using RDP, your credentials are stored on the remote computer that you RDP into. Usually you are using powerful account to connect to remote servers, and having your credentials stored on all these computers is a security threat indeed.

Imagine you are conecting to a Remote Desktop Server with your admin credentials using RDP, With so many other users using that server, the possibility for a malware infecting that box is high.

With the new feature introduced in Windows 8.1 and Windows Server 2012 R2, when you connect to a remote computer using the command,  MSTSC.EXE /RESTRICTEDADMIN, you will be authenticated to the remote computer but your credentials will not be stored on that computer as they would have been in the past. This means that if a malware or even a malicious user is active on that server, your credentials will not be available on that remote desktop server.

When connecting to a remote computer using RDP and specifying the /RestrictedAdmin switch, the experience looks like this:

restrictedadmin RDP 1

Things to watch out when using this feature

When you connect to a remote computer using this feature, your identity is preserved on that remote server. Say for example that you are connecting from your machine to a server called (SRV1), any activity that you are doing during that remote desktop session on SR1 is performed using your identity. If you tried to access any network resource from that remote server (SRV1), then the identity that is being used is the computer account $SRV1, and not your identity. This is because your identity is not stored on SRV1 server and it cannot be used to jump or connect to a second network resource from there.

Microsoft documentation mentions this “Restricted mode may limit access to resources located on other servers or networks beyond the target computer because credentials are not delegated.”

So if i connect to SRV1 from my machine and then i tried to access the admin share on SRV2 from that remote desktop session, then the connection will happen using SRV1 computer account and not mine.

restrictedadmin RDP 2

GPO Settings

There is a tricky GPO to control and enforce this new feature. The tricky part that this GPO setting should be applied to the machines initiating the remote desktop session using /RestrcitedAdmin feature, and not on the target RDP server.Example if I had 8.1 clients all over my network it would be a good idea to force this setting on my helpdesk personnel systems so that when they RDP to client systems they would be forced to use Restricted Admin mode.

GPO setting is located under the Administrative Templates under Computer Configuration > System > Credential Delegation > Restrict delegation of credentials to remote servers.

restrictedadmin RDP 3

Limitations

The Restricted Admin mode only applies to administrators and the remote server should support this feature.

Furthermore, the remote server cannot delegate your credentials to a second network resource. This can become a problem with some implementations like remote apps.

Security Trade-Off

There is a big argument on the internet about how vulnerable this feature can be in a way or another, to pass-the-hash attack. Check my blog post to know more.

 

One comment on “Windows 8.1 Security Improvements – RestrictedAdmin RDP

  1. Pingback: The new RestrictedAdmin RDP – Security Trade-Off and Pass-the-Hash Exposure | Ammar Hasayen - Blog

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s