Windows

How to protect Remote Desktop credentials with Windows Defender Remote Credential Guard or Restricted Admin Mode

image-63

Remote Defender Credential Guide was introduced in Windows 10 version 1607 to be precise and helps safeguard (protect) your credentials over a Remote Desktop connection by redirecting Kerberos requests back to the device that’s requesting the connection. It also provides single sign-on experiences for Remote Desktop sessions. The following hyperlink discusses the new requirements available in Windows 11. Here are some interesting guides also: How to enable or disable Reputation-Based Protection on Windows 10 and Windows 11, how to enable or disable Core Isolation Memory Integrity in Windows 10 and Windows 11, “Local Administrators account lockout is now available“, and how to check if you have Secure Boot and TPM enabled.

You will agree with me that highly privileged Administrators’ credentials are very critical and must be adequately and correctly protected. There are tons of security best practices that can be implemented but today, we will be discussing how to protect Remote Desktop credentials with Windows Defender Remote Credential Guard, and Restricted Admin mode. Note: Neither Windows Defender Remote Credential Guard nor Restricted Admin mode will send credentials in clear text to the Remote Desktop server.

How does Windows Defender Remote Credential Guard compare to Restricted Admin and  Remote Desktop Connection?

In this section, we will be discussing Windows Remote Desktop connection types, and how the standard remote desktop connection differs from others without employing a Windows Defender Remote Credential Guard or the Restricted Admin Mode. In order to connect remotely, Remote Desktop Settings must be enabled on the destination server to allow remote connection to the device. Else, the following error, Remote Desktop can’t connect to the remote computer for one of the following reasons will be prompted.

When administrators connect to a remote computer using RDP, their credentials are normally stored on the remote computer, which is a security threat if that system is to be compromised.

Scenario 1: Remote Desktop Connection to a Server without the Windows Defender Remote Credential Guard

This scenario involves the standard Remote Desktop connection we initiate to VMs and physical devices. Since we will be protecting Remote Desktop credentials, this step is worth discussing. You may want to learn about Remote Desktop Web Clients, Remote Desktop Services (RDS) etc.

Remote Desktop Protocol is a proprietary protocol developed by Microsoft which provides a user with a graphical interface to connect to another computer over a network connection. Most of us are administrators and we use this technology on a daily basis. Therefore, it isn’t new to us. Here is a link discussing all you need to know about the Kerberos delegation.

What protocol have you been utilising when initiating an RDP connection?

In this guide, we will learn about the various options available. see the following guides: How to remove saved RDP credentials entries in Windows 10, how to remove entries histories from the Remote Desktop Connection, and how to prevent the saving of Remote Desktop Credentials in Windows. In place of an RDP client, you can also use AnyDesk! Below is an image showing the features available for standard RDP. There is no SSO possibility, Above all, it does not prevent PtH attack and prevent the use of credentials after connection. I am sure at the time of writing this guide, 89% of your guys are currently using this protocol.

image-42
Src: Microsoft

To connect to an RDP in the traditional way, I will be showing you the command line syntax for Remote Desktop Connection. Now we will have to launch the Remote Desktop Connection app by searching for RDP and entering the computer name as shown below. You can also establish the remote connection by pressing Win + R and type the MSTSC command to open the Remote Desktop Connection.  

image-43

Or from the command line. The Run command for Windows Remote desktop application is Mstsc. This will also open the Remote Desktop Conenction window as shown above.

image-44

Note that with the Mstsc command. every time you connect to the server it opens a new user session. To avoid this we can open a connection to the console. This allows us to login back into the same user session if we already have one. To do this, you will need to append the  /console switch to the mstsc command as shown below.

mstsc /console
image-45

After that, input the IP address, and click on Connect. Finally, type in the credentials of the remote PC and then you can connect successfully.

image-46

Next, I will be discussing the various switches that are available when running the mstsc command. Run the following command below when you wish to open a remote desktop session in full-screen mode

Starts Remote Desktop Connection in full-screen mode. Add /f switch to the command. Input mstsc/f and then press the Enter key. After that, input the IP address, and click on Connect. Finally, type in the credentials of the remote PC and then you can connect successfully.

mstsc /f

To specify a remote PC, run the command below. Specify the remote computer you want to connect to by adding the /v switch in this case. Input mstsc /v:computername and then press the Enter key. (Replace the computer name with the name of your remote device).

mstsc /v:computername

Run the command to specify remote desktop connection settings using an RDP file. An RDP file can be created using the ‘Save As‘ button in the General tab in mstsc (Remote desktop connection client) window.

mstsc RDP_filename

Scenario 2: Remote Desktop Connection to a Server with the Restricted Admin mode or Windows Defender Remote Credential Guard

This session describes the steps to enable RestrictedAdmin mode for Remote Desktops. RestrictedAdmin mode prevents the transmission of credentials to the remote system to which you are connecting via the Remote Desktop Client. This prevents your credentials from being harvested during the initial connection process if the remote server has been compromised.

When running in Restricted Admin or Remote Credential Guard mode, participating apps (RDP Clients) do not expose signed-in or supplied credentials to a remote host. Restricted Admin Mode limits access to resources located on other servers or networks from the remote host because credentials are not delegated.  The following table below gives an overview of the different Desktop connection security options available to us. We will start off by discussing Restricted Admin Mode and how to configure and use it.

Enable Restricted Admin mode

Restricted Admin mode is disabled by default, and must be explicitly enabled on the destination server using the Group Policy or the Windows Registry setting. The account that will be used to connect to the remote server must be a member of the local Administrators group on the destination system. To do this, launch the Local Group Policy Editor or the Group Policy or the Group Policy Management tool and Navigate to the Computer Configurations > Policies > Administrative Templates > System > Credential Delegation. Then enable the Restrict Delegation of credentials to remote servers. In the future, I will be showing you how to enable the Restricted Admin mode in the domain environment. Below is an image describing the features of this connection option in detail.

image-51
Src: Microsoft

Since I am demonstrating the steps on a standard PC, the parts will be different. Therefore, Computer Configurations > Administrative Templates > System > Credential Delegation

image-47

Then Set Restrict Delegation of credentials to remote servers to enable

image-48

This setting will take effect when Group Policy refreshes. To immediately refresh the group policy, open an elevated command prompt and enter the following command below. Alternatively, to ensure this applies immediately on the remote server itself, run GPUpdate. For more information on GPO switches, see all about GPUpdate switches – GPUpdate vs GPUpdate /force.

Gpupdate.exe /target:computer /force

To disable RestrictedAdmin mode, configure the above group policy setting to Disabled. Once the group policy has been refreshed, you will only be able to issue Remote Desktop connections using RestrictedAdmin mode. No reboot is required

How to Enable Restricted Admin mode via the Windows Registry

To do that, we need to add a registry entry. Note that these steps can also be published via the Registry Windows Settings in the Group Policy Management Editor as well. We will be using the Windows Registry editor, therefore, log in to the server or pc as administrator and start > Run > regedit

image-49

Browse to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa

image-50

Add Registry Key DisableRestrictedAdmin Type: REG_DWORD Value: 0. A reboot is not required to have these settings applied.

image-52

How to connect to a remote server using the Restricted Admin Mode

Once this configuration is done via the registry or GPO, you can connect to the remote RDP server via the command line or run a command. To use Restricted Admin mode, an additional parameter must be added to the Remote Desktop client application at the command line, as follows,

Note: If you do not connect using the connection method specified when the Restricted Admin mode is configured (Mstsc.exe /RestrictedAdmin), you can’t connect to other network resources as it’s not passing the credentials. With the policy setting “Require Restricted Admin“: Participating applications must use Restricted Admin to connect to remote hosts.

How to enable Windows Defender Remote Credential Guard

By using Windows Defender Remote Credential Guard to connect during Remote Desktop sessions, if the target device is compromised, your credentials are not exposed because both credential and credential derivatives are never passed over the network to the target device. Here are some guides that I highly recommend that you take a look at. Windows Defender Credential Guard which employs virtualization-based security to isolate secrets. In this way, only privileged system software can access them. Unauthorized access to these secrets can lead to credential theft attacks, such as Pass-the-Hash or Pass-The-Ticket.

Windows Defender Credential Guard prevents these attacks by protecting NTLM password hashes, Kerberos Ticket Granting Tickets, and credentials stored by applications as domain credentials. As described above and in the image below, the Windows Defender Remote Credential Guard blocks NTLM (allowing only Kerberos), thereby preventing Pass-the-Hash (PtH) attacks, and also preventing the use of credentials after disconnection.

Note: Remote Credential Guard does not limit access to resources because it redirects all requests back to the client's device.

The feature is designed to eliminate threats before it develops into a serious situation. It helps you protect your credentials over a Remote Desktop connection by redirecting the Kerberos requests back to the device that’s requesting the connection. It also provides single sign-on experiences for Remote Desktop sessions.

image-55

Step 1: Enable Windows Defender Remote Credential Guard on the remote host via Windows GPO. From the Group Policy Management Console, go to Computer Configuration -> Administrative Templates -> System -> Credentials Delegation, and then double-click Restrict delegation of credentials to remote servers.

image-56

This will open the Restrict delegation of credentials to the remote server’s policy settings. Note: We have two restricted modes and a good understanding of both is paramount. They are

  • Require Remote Credential Guard, and
  • Restrict credential Delegation

Note: If you enable any of these policy settings, the following options are supported:

  • Restrict Credential Delegation: Participating applications must use Restricted Admin or Remote Credential Guard to connect to remote hosts.  In this configuration, Windows Defender Remote Credential Guard is preferred, but it will use Restricted Admin mode (if supported) when Windows Defender Remote Credential Guard cannot be used.
  • Require Remote Credential Guard: Participating applications must use Remote Credential Guard only to connect to remote hosts (mstsc /remoteguard).

For test purposes, I will be using require Remote Credential Guard since I am only interested in testing the Remote Credential Guard. When you are done with the policy, click on Ok.

image-59

With this setting in place, a Remote Desktop connection will succeed only if the remote computer meets the requirements listed. Next, from a command prompt, run gpupdate.exe /force to ensure that the Group Policy object is applied.

How to enable Windows Defender Remote Credential Guard using Windows Registry

In order to save time, you can enable the Windows Defender Remote Credential Guard via the command line as shown below. To do this from the command line, ensure to run the command below with Administrative rights.

reg add HKLM\SYSTEM\CurrentControlSet\Control\Lsa /v DisableRestrictedAdmin /d 0 /t REG_DWORD
image-60
Alternatively, you can enable the Windows Defender Remote Credential Guard on the remote server using the same steps we used for enabling Restricted Admin Mode above. To do this, Open Registry Editor on the remote host, and enable Restricted Admin and Windows Defender Remote Credential Guard:

Navigate t the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa. Add a new DWORD value named DisableRestrictedAdmin. To turn on Restricted Admin and Windows Defender Remote Credential Guard, set the value of this registry setting to 0 to turn on Windows Defender Remote Credential Guard.

image-61


When you are done, click on OK and close Registry Editor. This method is similar to the Restrict Credential Delegation GPO implementation above.

Use Remote Credential Guard with a parameter to Remote Desktop Connection

If you don’t use Group Policy in your organization, you can add the remoteGuard parameter when you start Remote Desktop Connection to turn on Remote Credential Guard for that connection.

mstsc.exe /remoteGuard

Note: If you are not authorized to connect to the remote server using RDP. The user or admin must be a member of the  Remote Desktop Users local group on the remote computer

credentialguard

Windows Defender Remote Credential Guard Drawback

1: Windows Defender Remote Credential Guard does not support compound authentication. For example, if you’re trying to access a file server from a remote host that requires a device claim, access will be denied.

2: Windows Defender Remote Credential Guard can be used only when connecting to a device that is joined to a Windows Server Active Directory domain, including AD domain-joined servers that run as Azure virtual machines (VMs). Windows Defender Remote Credential Guard cannot be used when connecting to remote devices joined to Azure Active Directory.

3: Remote Desktop Credential Guard only works with the RDP protocol.

4: No credentials are sent to the target device, but the target device still acquires Kerberos Service Tickets on its own.

5: The server and client must authenticate using Kerberos

I hope you found this blog post helpful. If you have any questions, please let me know in the comment session.

Subscribe
Notify of
guest

0 Comments
Inline Feedbacks
View all comments
0
Would love your thoughts, please comment.x
()
x