Restricted Admin mode for RDP in Windows 7 / 2008 R2
<# EDIT .. there has been a wiki article posted by my colleague John Rodriguez at https://social.technet.microsoft.com/wiki/contents/articles/32905.how-to-enable-restricted-admin-mode-for-remote-desktop.aspx that discusses RDPRA configuration further which is a good source for information and seeing it’s a WIKI is also a better place to keep updated easily #>
This is a follow on post to my previous one about a year ago regarding RDPRA (yeah just made up an acronym). If you have not as a security responsible resource for your organization viewed and read through https://technet.microsoft.com/en-us/library/security/2871997.aspx I would highly recommend doing so as there are a number of security OS fixes that were introduced in 8.1/2012 R2 which subsequently have been back-ported to Win 7/2008 R2/8/2012.
The key section of that article that I want to cover are the below items:
On October 14, 2014, Microsoft released the following updates. The applicable updates add a restricted admin mode for Remote Desktop Connection and Remote Desktop Protocol:
- 2984972 for supported editions of Windows 7 and Windows Server 2008 R2
- 2984976 for supported editions of Windows 7 and Windows Server 2008 R2 that have update 2592687 (Remote Desktop Protocol (RDP) 8.0 update) installed. Customers who install update 2984976 must also install update 2984972.
- 2984981 for supported editions of Windows 7 and Windows Server 2008 R2 that have update 2830477 (Remote Desktop Connection (RDC) 8.1 client update) installed. Customers who install update 2984981 must also install update 2984972.
- 2973501 for supported editions of Windows 8, Windows Server 2012, and Windows RT.
AND
Two registry key settings can be configured to manage the Restricted Admin mode. The DisableRestrictedAdmin key is used to enable or disable Restricted Admin mode. If Restricted Admin mode is enabled, the DisableRestrictedAdminOutboundCreds is used to enable or disable the ability for a user connected to a system using Remote Desktop with Restricted Admin mode from automatically authenticating to remote resources using the local machine account.
So basically we back-ported both the ability to initiate RDPRA connections as well as receive RDPRA connections on Win7+ platforms.
The updates that are listed above are all “Security” updates which means that they have probably been applied to your current systems at this point (or you need to examine your patching methodology). By default RDPRA as a “server” / endpoint is not enabled on any systems when installed. In order to enable this setting you need to create the following registry value.
DWORD value that is named DisableRestrictedAdmin at the following location:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa
- To disable Restricted Admin mode, type 1 in the Value data box, and then click OK.
- To enable Restricted Admin mode, type 0 in the Value data box, and then click OK.
By default the value does not exist, creating it and assigning a value of 0 to it will immediately enable that system to receive RDPRA connections (no reboot’s required).
With this backport there was also another registry value that was introduced called DisableRestrictedAdminOutboundCreds. It also must be created as follows:
DWORD value that is named DisableRestrictedAdminOutboundCreds at the following location:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa
- Default value = doesn’t exist = 0 = Admin Outbound Creds are enabled
- Value =1 == Admin Outbound Creds are disabled
So what does this new setting mean? If you read my previous article I go into detail about how we authenticate to the system using RDPRA however once logged onto it if we try to hop from that system to another system say a file server or some other resource that our outbound credentials at that point are not our domain credentials but rather we are authenticating as the domain\computer$ of the system we did an RDPRA connection to. This new setting allows you to go a step further and disable that functionality as well which basically means you fail at authentication to network resources when trying to auth outbound from a system that you used RDPRA to connect to.
In case you are wondering I am aware that RDPRA does open a new issue from an exploit perspective in that it allows a modified rdp client such as FreeRDP-pth to use an NTHash as an authentication method which normally is not allowed. You will have to do your own risk analysis to determine whether or not using RDPRA is feasible in your environment. If you are randomizing local account passwords and they are unique across your machines in your environment and you are using firewalling between your client base then I would argue that using RDPRA is a value add in that it allows helpdesk to be able to connect to client machines easily without exposing their credentials to those client machines.