deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-22 05:43:41 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Removed unnecessary bold from table headings

Browse Source 
Table headings are automatically bold. Adding bold (<b> or **) to table headings results in bold text that is lighter than normal.
This commit is contained in:
Gary Moore
2020-10-22 15:09:52 -07:00
committed by GitHub
parent 813ca87003
commit 4389f5e61f
1 changed files with 16 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
windows/security/identity-protection/remote-credential-guard.md
View File

@ -53,7 +53,7 @@ Use the following table to compare different Remote Desktop connection security
<br /> <br />
| **Feature** | **Remote Desktop** | **Windows Defender Remote Credential Guard** | **Restricted Admin mode** | | Feature | Remote Desktop | Windows Defender Remote Credential Guard | Restricted Admin mode |
|--------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| |--------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| **Protection benefits** | Credentials on the server are not protected from Pass-the-Hash attacks. | User credentials remain on the client. An attacker can act on behalf of the user *only* when the session is ongoing | User logs on to the server as local administrator, so an attacker cannot act on behalf of the “domain user”. Any attack is local to the server | | **Protection benefits** | Credentials on the server are not protected from Pass-the-Hash attacks. | User credentials remain on the client. An attacker can act on behalf of the user *only* when the session is ongoing | User logs on to the server as local administrator, so an attacker cannot act on behalf of the “domain user”. Any attack is local to the server |
| **Version support** | The remote computer can run any Windows operating system | Both the client and the remote computer must be running **at least Windows 10, version 1607, or Windows Server 2016**. | The remote computer must be running **at least patched Windows 7 or patched Windows Server 2008 R2**. <br /><br />For more information about patches (software updates) related to Restricted Admin mode, see [Microsoft Security Advisory 2871997](https://technet.microsoft.com/library/security/2871997.aspx). | | **Version support** | The remote computer can run any Windows operating system | Both the client and the remote computer must be running **at least Windows 10, version 1607, or Windows Server 2016**. | The remote computer must be running **at least patched Windows 7 or patched Windows Server 2008 R2**. <br /><br />For more information about patches (software updates) related to Restricted Admin mode, see [Microsoft Security Advisory 2871997](https://technet.microsoft.com/library/security/2871997.aspx). |
@ -67,7 +67,7 @@ Use the following table to compare different Remote Desktop connection security
<br /> <br />
For further technical information, see [Remote Desktop Protocol](https://msdn.microsoft.com/library/aa383015(v=vs.85).aspx) For further technical information, see [Remote Desktop Protocol](https://msdn.microsoft.com/library/aa383015(v=vs.85).aspx)
and [How Kerberos works](https://technet.microsoft.com/library/cc961963.aspx(d=robot)) and [How Kerberos works](https://technet.microsoft.com/library/cc961963.aspx(d=robot)).
<br /> <br />
@ -93,8 +93,11 @@ To use Windows Defender Remote Credential Guard, the Remote Desktop client and r
The Remote Desktop client device: The Remote Desktop client device:
- Must be running at least Windows 10, version 1703 to be able to supply credentials, which is sent to the remote device. This allows users to run as different users without having to send credentials to the remote machine. - Must be running at least Windows 10, version 1703 to be able to supply credentials, which is sent to the remote device. This allows users to run as different users without having to send credentials to the remote machine.
- Must be running at least Windows 10, version 1607 or Windows Server 2016 to use the users signed-in credentials. This requires the users account be able to sign in to both the client device and the remote host. - Must be running at least Windows 10, version 1607 or Windows Server 2016 to use the users signed-in credentials. This requires the users account be able to sign in to both the client device and the remote host.
- Must be running the Remote Desktop Classic Windows application. The Remote Desktop Universal Windows Platform application doesn't support Windows Defender Remote Credential Guard. - Must be running the Remote Desktop Classic Windows application. The Remote Desktop Universal Windows Platform application doesn't support Windows Defender Remote Credential Guard.
- Must use Kerberos authentication to connect to the remote host. If the client cannot connect to a domain controller, then RDP attempts to fall back to NTLM. Windows Defender Remote Credential Guard does not allow NTLM fallback because this would expose credentials to risk. - Must use Kerberos authentication to connect to the remote host. If the client cannot connect to a domain controller, then RDP attempts to fall back to NTLM. Windows Defender Remote Credential Guard does not allow NTLM fallback because this would expose credentials to risk.
The Remote Desktop remote host: The Remote Desktop remote host:
@ -112,7 +115,9 @@ There are no hardware requirements for Windows Defender Remote Credential Guard.
> GPO [Remote host allows delegation of non-exportable credentials](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-credentialsdelegation) should be enabled for delegation of non-exportable credentials. > GPO [Remote host allows delegation of non-exportable credentials](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-credentialsdelegation) should be enabled for delegation of non-exportable credentials.
- For Windows Defender Remote Credential Guard to be supported, the user must authenticate to the remote host using Kerberos authentication. - For Windows Defender Remote Credential Guard to be supported, the user must authenticate to the remote host using Kerberos authentication.
- The remote host must be running at least Windows 10 version 1607, or Windows Server 2016. - The remote host must be running at least Windows 10 version 1607, or Windows Server 2016.
- The Remote Desktop classic Windows app is required. The Remote Desktop Universal Windows Platform app doesn't support Windows Defender Remote Credential Guard. - The Remote Desktop classic Windows app is required. The Remote Desktop Universal Windows Platform app doesn't support Windows Defender Remote Credential Guard.
## Enable Windows Defender Remote Credential Guard ## Enable Windows Defender Remote Credential Guard
@ -120,15 +125,20 @@ There are no hardware requirements for Windows Defender Remote Credential Guard.
You must enable Restricted Admin or Windows Defender Remote Credential Guard on the remote host by using the Registry. You must enable Restricted Admin or Windows Defender Remote Credential Guard on the remote host by using the Registry.
1. Open Registry Editor on the remote host. 1. Open Registry Editor on the remote host.
2. Enable Restricted Admin and Windows Defender Remote Credential Guard: 2. Enable Restricted Admin and Windows Defender Remote Credential Guard:
- Go to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa. - Go to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa.
- Add a new DWORD value named **DisableRestrictedAdmin**. - Add a new DWORD value named **DisableRestrictedAdmin**.
- To turn on Restricted Admin and Windows Defender Remote Credential Guard, set the value of this registry setting to 0 to turn on Windows Defender Remote Credential Guard. - To turn on Restricted Admin and Windows Defender Remote Credential Guard, set the value of this registry setting to 0 to turn on Windows Defender Remote Credential Guard.
3. Close Registry Editor. 3. Close Registry Editor.
You can add this by running the following command from an elevated command prompt: You can add this by running the following command from an elevated command prompt:
``` ```console
reg add HKLM\SYSTEM\CurrentControlSet\Control\Lsa /v DisableRestrictedAdmin /d 0 /t REG_DWORD reg add HKLM\SYSTEM\CurrentControlSet\Control\Lsa /v DisableRestrictedAdmin /d 0 /t REG_DWORD
``` ```
@ -145,6 +155,7 @@ Beginning with Windows 10 version 1703, you can enable Windows Defender Remote C
![Windows Defender Remote Credential Guard Group Policy](images/remote-credential-guard-gp.png) ![Windows Defender Remote Credential Guard Group Policy](images/remote-credential-guard-gp.png)
3. Under **Use the following restricted mode**: 3. Under **Use the following restricted mode**:
- If you want to require either [Restricted Admin mode](https://social.technet.microsoft.com/wiki/contents/articles/32905.remote-desktop-services-enable-restricted-admin-mode.aspx) or Windows Defender Remote Credential Guard, choose **Restrict Credential Delegation**. In this configuration, Windows Defender Remote Credential Guard is preferred, but it will use Restricted Admin mode (if supported) when Windows Defender Remote Credential Guard cannot be used. - If you want to require either [Restricted Admin mode](https://social.technet.microsoft.com/wiki/contents/articles/32905.remote-desktop-services-enable-restricted-admin-mode.aspx) or Windows Defender Remote Credential Guard, choose **Restrict Credential Delegation**. In this configuration, Windows Defender Remote Credential Guard is preferred, but it will use Restricted Admin mode (if supported) when Windows Defender Remote Credential Guard cannot be used.
> [!NOTE] > [!NOTE]
@ -165,7 +176,7 @@ Beginning with Windows 10 version 1703, you can enable Windows Defender Remote C
If you don't use Group Policy in your organization, or if not all your remote hosts support Remote Credential Guard, you can add the remoteGuard parameter when you start Remote Desktop Connection to turn on Windows Defender Remote Credential Guard for that connection. If you don't use Group Policy in your organization, or if not all your remote hosts support Remote Credential Guard, you can add the remoteGuard parameter when you start Remote Desktop Connection to turn on Windows Defender Remote Credential Guard for that connection.
``` ```console
mstsc.exe /remoteGuard mstsc.exe /remoteGuard
``` ```