Restricted RDP for Admin (RestrictedAdmin)
In every version of the Windows client and Windows server, there are some security improvements. Some of them are meaningful, and others less.
There are relevant security features with Windows 8.1 and Windows Server 2012 R2; one of those features is the Restricted Admin mode for RDP. This security feature mitigates the risk of passing the hash attacks.
Once you connect to a Windows client or Windows server with RDP, the specific credentials are stored on the remote computer.
In most cases, the admin using a powerful account to RDP to a remote server, and the result leaves all the credentials on the remote server.
The real-life scenario is when you are connecting to a terminal server with admin credentials using RDP. This server has many other users, and the possibility of malware-infected is high. A terminal server (RDS) is a desirable destination for attackers, as many users are logged on at once on such a server.
RDP Login Process
When connecting to a remote server using the RDP, the User authenticates to the local RDP service using the Remote Interactive Login Process. That means that the User physically enters their username and password.
The RDP service performs a network login to the remote device to ensure the User is allowed access but doesn’t require any further input because the TGS ticket or NTLM hash created during the initial login can be used for authentication.
Once authenticated by the RDP service on the target server, the user credentials are sent over a secure channel to the remote device. Interactive login is carried out so the user can access the remote desktop.
How standard RDP connection works
Before Windows 8.1, the only way to connect and authenticate to a remote computer using RDP was with the Remote Interactive Login Process:
- A user enters his credentials to the RDP client.
- RDP client performs network login to the target server to authorize
- Once the user is authorized, the RDP client securely relays the target machine’s credentials over a secure channel.
- The target server uses its credentials to perform an interactive login on behalf of the User.
The User inputs his credentials to the machine by entering the username and password.
The machine checks if the credentials are proper by contacting a domain controller using and Kerberos by default or NTLM when Kerberos is not available.
If the domain controller approves that identity, the user can access the machine, and an SSO and data are stored on that machine. This can be a TGT or NTLM hash of the user password. SSO data is stored in memory and required to ensure an SSO experience for the User, so he can access network resources without the need to type his credentials repeatedly.
Network Domain Logon
The User logs on to his machine using interactive logon and has his SSO data stored in memory.
When a user wants to access a network resource like a file share using network domain logon, an SSO token such Kerberos TGS ticket or a challenge encrypted with the NTLM hash is used to prove the user identity to the target machine.
The target machine uses the domain controller to validate the SSO derivative’s authenticity and receive authorization data for the User.
Restricted Admin Mode
Restricted Admin Mode was designed to help protect administrator accounts by ensuring that reusable credentials are not stored in memory on the remote server that could potentially be compromised.
This includes scenarios when the help desk team uses admin credentials for remote PC support or domain admin accounts connect remotely to member servers.
This means that if malware or even a malicious user is active on that remote server, your credentials will not be available on that remote desktop server for the malware to attack.
Enable Restricted Admin
In October 2014, Microsoft released the following updates. The applicable updates add a restricted admin mode for Remote Desktop Connection and Remote Desktop Protocol:
2984972 for supported editions of Windows 7 and Windows Server 2008 R2
2984976 for supported editions of Windows 7 and Windows Server 2008 R2 that have update 2592687 (Remote Desktop Protocol (RDP) 8.0 update) installed. Customers who install update 2984976 must also install update 2984972.
2984981 for supported editions of Windows 7 and Windows Server 2008 R2 that have update 2830477 (Remote Desktop Connection (RDC) 8.1 client update) installed. Customers who install update 2984981 must also install update 2984972.
2973501 for supported editions of Windows 8, Windows Server 2012, and Windows RT.
The updates listed above are all security updates, which means that they have probably been applied to your systems. By default, the RDPRA endpoint is not enabled on any system when installed.
To enable this setting, you need to create the following registry value, DWORD value that is named DisableRestrictedAdmin at the following location:
To disable Restricted Admin mode, type 1 in the Value data box, and then click OK.
To enable Restricted Admin mode, type 0 in the Value data box, and then click OK.
By default, the value does not exist. Creating it and assigning a value of 0 to it will immediately enable that system to receive RDPRA connections (no reboots required).
With this backport, there was also another registry value that was introduced called DisableRestrictedAdminOutboundCreds. It also must be created as follows:
The DWORD value that is named DisableRestrictedAdminOutboundCreds at the following location:
Default value = doesn’t exist = 0 = Admin Outbound Creds are enabled
Value =1 == Admin Outbound Creds are disabled
To do that in GPO, go to Computer Configurations > Policies > Administrative Templates > System > Credential Delegation, then Set Require Restrict Admin to Enabled.
Restricted Admin mode for RDP only applies to administrators, so it cannot be used when you log on to a remote computer with a non-admin account. Also, the destination server should support the Restricted Admin mode for RDP. Furthermore, the remote server cannot delegate your credentials to a second network resource. This can become a problem with some implementations like remote apps.