Remote Defender Credential Guide was introduced in Windows 10 version 1607 to be precise and helps protect your credentials over a Remote Desktop connection by redirecting Kerberos requests back to the device that's requesting the connection. It also provides single sign-on experiences for Remote Desktop sessions. You may want to learn about how to enable or disable Memory integrity in windows, reputation based protection, and how to enable or disable Windows Defender Credential Guard I wrote yesterday . Please refer to the original guide, I will do my best to limit internal links from my website that are vital.
You will agree with me that highly privileged Administrators' credentials are very critical and must be adequately and correctly protected. Note: Neither Windows Defender Remote Credential Guard nor Restricted Admin mode will send credentials in clear text to the Remote Desktop server.
How does Windows Defender Remote Credential Guard compare to Restricted Admin and Remote Desktop Connection?
In this section, we will be discussing Windows Remote Desktop connection types, and how the standard remote desktop connection differs from others without employing a Windows Defender Remote Credential Guard or the Restricted Admin Mode. In order to connect remotely, Remote Desktop Settings must be enabled on the destination server to allow remote connection to the device.
Scenario 1: Remote Desktop Connection to a Server without the Windows Defender Remote Credential Guard
This scenario involves the standard Remote Desktop connection we initiate to VMs and physical devices. Since we will be protecting Remote Desktop credentials, this step is worth discussing. You may want to learn about Remote Desktop Web Clients, Remote Desktop Services (RDS) etc. Remote Desktop Protocol is a proprietary protocol developed by Microsoft which provides a user with a graphical interface to connect to another computer over a network connection. In this guide, we will learn about the various options available. see the following guides: How to remove saved RDP credentials entries in Windows 10, how to remove entries histories from the Remote Desktop Connection, and how to prevent the saving of Remote Desktop Credentials in Windows. In place of an RDP client, you can also use AnyDesk!
Src: Microsoft
Add on; Note that with the Mstsc command. every time you connect to the server it opens a new user session. To avoid this we can open a connection to the console. This allows us to login back into the same user session if we already have one. To do this, you will need to append the /console
switch to the mstsc
command as shown below.
With the above option, When administrators connect to a remote computer using RDP, their credentials are normally stored on the remote computer, which is a security threat if that system is to be compromised.
Scenario 2: Remote Desktop Connection to a Server with the Restricted Admin mode or Windows Defender Remote Credential Guard
This guide describes the steps to enable RestrictedAdmin mode for Remote Desktops. RestrictedAdmin mode prevents the transmission of credentials to the remote system to which you are connecting via the Remote Desktop Client. This prevents your credentials from being harvested during the initial connection process if the remote server has been compromised.
Enable Restricted Admin mode
Restricted Admin mode is disabled by default, and must be explicitly enabled on the destination server using the Group Policy or the Windows Registry setting. The account that will be used to connect to the remote server must be a member of the local Administrators group on the destination system. To do this, launch the Local Group Policy Editor or the Group Policy or the Group Policy Management tool and Navigate to theComputer Configurations > Administrative Templates > System > Credential Delegation
Then Set Restrict Delegation of credentials to remote servers to enable
This setting will take effect when Group Policy refreshes. To immediately refresh the group policy, open an elevated command prompt and enter the following command below. Alternatively, to ensure this applies immediately on the remote server itself, run GPUpdate. For more information on GPO switches, see all about GPUpdate switches – GPUpdate vs GPUpdate /force.
Gpupdate.exe /target:computer /force
To disable RestrictedAdmin mode, configure the above group policy setting to
Enable Enable Restricted Admin mode via the Windows Registry
To do that we need to add a registry entry. Note that these steps can also be published via the Registry Windows Settings in the Group Policy Management Editor as well.
We will be using the Windows Registry editor, therefore, log in to server or pc as administrator and start > Run > regedit
Browse to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa
Add Registry Key DisableRestrictedAdmin Type: REG_DWORD Value: 0. A reboot is not required to have these settings applied.
How to connect to a remote server using the Restricted Admin Mode
Once this configuration are done via the registry or GPO, you can connect to the remote RDP server via the command line or run command. To use Restricted Admin mode, an additional parameter must be added to the Remote Desktop client application at the command line, as follows
Note: If you do not connect using the connection method specified when the Restricted Admin mode is configured (Mstsc.exe /RestrictedAdmin)
, you can’t connect to other network resources as it's not passing the credentials. With the policy setting "Require Restricted Admin
": Participating applications must use Restricted Admin to connect to remote hosts.
How to enable Windows Defender Remote Credential Guard
By using Windows Defender Remote Credential Guard to connect during Remote Desktop sessions, if the target device is compromised, your credentials are not exposed because both credential and credential derivatives are never passed over the network to the target device. Here are some guides that I highly recommend that you take a look at. Windows Defender Credential Guard which employs virtualization-based security to isolate secrets. In this way, only privileged system software can access them. Unauthorized access to these secrets can lead to credential theft attacks, such as Pass-the-Hash or Pass-The-Ticket.
Windows Defender Credential Guard prevents these attacks by protecting NTLM password hashes, Kerberos Ticket Granting Tickets, and credentials stored by applications as domain credentials. As described above and in the image below, the Windows Defender Remote Credential Guard blocks NTLM (allowing only Kerberos), thereby preventing Pass-the-Hash (PtH) attacks, and also preventing the use of credentials after disconnection.
Step 1: Enable Windows Defender Remote Credential Guard on the remote host via Windows GPO
From the Group Policy Management Console, go to Computer Configuration -> Administrative Templates -> System -> Credentials Delegation, and then double-click Restrict delegation of credentials to remote servers.
This will open the Restrict delegation of credentials to remote server’s policy settings
Note: We have two restricted modes and a good understanding of both is paramount. They are
- Require Remote Credential Guard, and
- Restrict credential Delegation
Note: If you enable any of these policy settings, the following options are supported:
- Restrict Credential Delegation: Participating applications must use Restricted Admin or Remote Credential Guard to connect to remote hosts. In this configuration, Windows Defender Remote Credential Guard is preferred, but it will use Restricted Admin mode (if supported) when Windows Defender Remote Credential Guard cannot be used.
- Require Remote Credential Guard: Participating applications must use Remote Credential Guard only to connect to remote hosts (
mstsc /remoteguard
).
For test purposes, I will be using require Remote Credential Guard since I am only interested in testing the Remote Credential Guard. When you are done with the policy, click on Ok.
How to enable Windows Defender Remote Credential Guard using Windows Registry
In order to save time, you can enable the Windows Defender Remote Credential Guard via the command line as shown below. To do this from the command line, ensure to run the command below with Administrative rights.
Navigate t the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa
. Add a new DWORD value named DisableRestrictedAdmin.
To turn on Restricted Admin and Windows Defender Remote Credential Guard, set the value of this registry setting to 0 to turn on Windows Defender Remote Credential Guard.
When you are done, click on OK and close Registry Editor.
Use Remote Credential Guard with a parameter to Remote Desktop Connection
If you don’t use Group Policy in your organisation, you can add the remoteGuard parameter when you start Remote Desktop Connection to turn on Remote Credential Guard for that connection.
Note: If you are not authorised to connect to the remote server using RDP. The user or admin must be a member of the Remote Desktop Users local group on the remote computer
mstsc.exe /remoteGuard