deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-19 20:33:42 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

updates

Browse Source
This commit is contained in:
Paolo Matarazzo
2023-08-18 09:22:10 -04:00
parent fffa094dad
commit 54fc38519a
1 changed files with 37 additions and 36 deletions
Download Patch File Download Diff File Expand all files Collapse all files

73
windows/security/identity-protection/remote-credential-guard.md
View File

@ -18,7 +18,7 @@ appliesto:
## Overview
Remote Credential Guard helps you protect your credentials over a Remote Desktop (RDP) connection by redirecting Kerberos requests back to the device that's requesting the connection. If the target device is compromised, your credentials are not exposed because both credential and credential derivatives are never passed over the network to the target device. Remote Credential Guard also provides single sign-on experiences for Remote Desktop sessions.
Remote Credential Guard helps you protect your credentials over a Remote Desktop (RDP) connection by redirecting Kerberos requests back to the device that's requesting the connection. If the target device is compromised, your credentials aren't exposed because both credential and credential derivatives are never passed over the network to the target device. Remote Credential Guard also provides single sign-on experiences for Remote Desktop sessions.
This article describes how to configure and use Remote Credential Guard.
@ -30,55 +30,56 @@ This article describes how to configure and use Remote Credential Guard.
Using a Remote Desktop session without Remote Credential Guard has the following security implications:
- Credentials are sent to and stored on the remote host
- Credentials are not protected from attackers on the remote host
- Credentials aren't protected from attackers on the remote host
- Attacker can use credentials after disconnection
The security benefits of [Restricted Admin mode][TECH-1] include:
- Credentials are not sent to the remote host
- An attacker cannot act on behalf of the user and any attack is local to the server
The security benefits of Remote Credential Guard include:
- Credentials are not sent to the remote host
- Credentials aren't sent to the remote host
- During the remote session you can connect to other systems using SSO
- An attacker can act on behalf of the user only when the session is ongoing
The security benefits of [Restricted Admin mode][TECH-1] include:
- Credentials aren't sent to the remote host
- The Remote Desktop session connects to other resources as the remote host's identity
- An attacker can't act on behalf of the user and any attack is local to the server
Use the following table to compare different Remote Desktop connection security options:
|Feature|Remote Desktop|Remote Credential Guard|Restricted Admin mode|
|-|-|-|-|
| Single sign-on (SSO) to other systems as signed in user|✅|✅|❌ Remote Desktop session connects to other resources as the remote host's identity |
| Prevent use of user's identity during connection |❌|❌|✅|
| Prevent use of credentials after disconnection|❌|✅|✅|
| Prevent Pass-the-Hash (PtH)|❌|✅|✅|
| Feature | Remote Desktop | Remote Credential Guard | Restricted Admin mode |
|--|--|--|--|
| Single sign-on (SSO) to other systems as signed in user | ✅ | ✅ | ❌ |
| Multi-hop RDP | ✅ | ✅ | ❌ |
| Prevent use of user's identity during connection | ❌ | ❌ | ✅ |
| Prevent use of credentials after disconnection | ❌ | ✅ | ✅ |
| Prevent Pass-the-Hash (PtH) | ❌ | ✅ | ✅ |
| Supported authentication | Any negotiable protocol | Kerberos only | Any negotiable protocol |
| Multi-hop RDP | ✅ | ✅ | ❌ Not allowed for user as the session is running as remote the host's identity |
| Credentials supported from the remote desktop client device | - Signed on credentials<br>- Supplied credentials<br>- Saved credentials | - Signed on credentials<br>- Supplied credentials<br> | - Signed on credentials<br>- Supplied credentials<br>- Saved credentials |
| RDP access granted with | Membership of *Remote Desktop Users* group on remote host | Membership of *Remote Desktop Users* group on remote host | Membership of *Administrators* group on remote host|
| RDP access granted with | Membership of **Remote Desktop Users** group on remote host | Membership of **Remote Desktop Users** group on remote host | Membership of **Administrators** group on remote host |
## Remote Credential Guard requirements
To use Remote Credential Guard, the remote host and the Remote Desktop client must meet the following requirements.
To use Remote Credential Guard, the remote host and the client must meet the following requirements.
The remote host:
- Must allow the user to access via Remote Desktop connections
- Must allow delegation of non-exportable credentials to the client device
- Must allow delegation of nonexportable credentials to the client device
The client device:
- Must be running the Remote Desktop Windows application. The Remote Desktop Universal Windows Platform (UWP) application doesn't support Remote Credential Guard
- Must use Kerberos authentication to connect to the remote host. If the client cannot connect to a domain controller, then RDP attempts to fall back to NTLM. Remote Credential Guard does not allow NTLM fallback because this would expose credentials to risk
- Must use Kerberos authentication to connect to the remote host. If the client can't connect to a domain controller, then RDP attempts to fall back to NTLM. Remote Credential Guard does not allow NTLM fallback because this would expose credentials to risk
[!INCLUDE [windows-defender-remote-credential-guard](../../../includes/licensing/windows-defender-remote-credential-guard.md)]
## Enable delegation of non-exportable credentials on the remote hosts
## Enable delegation of nonexportable credentials on the remote hosts
This policy is required on the remote hosts to support Remote Credential Guard and Restricted Admin mode. It allows the remote host to delegate non-exportable credentials to the client device.\
If you disable or don't configure this setting, Restricted Admin and Remote Credential Guard mode are not supported. User will always need to pass their credentials to the host, exposing users to the risk of credential theft from attackers on the remote host.
This policy is required on the remote hosts to support Remote Credential Guard and Restricted Admin mode. It allows the remote host to delegate nonexportable credentials to the client device.\
If you disable or don't configure this setting, Restricted Admin and Remote Credential Guard mode aren't supported. User will always need to pass their credentials to the host, exposing users to the risk of credential theft from attackers on the remote host.
To enable delegation of non-exportable credentials on the remote hosts, you can use:
To enable delegation of nonexportable credentials on the remote hosts, you can use:
- Microsoft Intune/MDM
- Group policy
@ -92,7 +93,7 @@ To enable delegation of non-exportable credentials on the remote hosts, you can
| Category | Setting name | Value |
|--|--|--|
| **Administrative Templates > System > Credentials Delegation** | Remote host allows delegation of non-exportable credentials | Enabled |
| **Administrative Templates > System > Credentials Delegation** | Remote host allows delegation of nonexportable credentials | Enabled |
[!INCLUDE [intune-settings-catalog-2](../../../includes/configure/intune-settings-catalog-2.md)]
@ -108,7 +109,7 @@ Alternatively, you can configure devices using a [custom policy][INT-3] with the
| Group policy path | Group policy setting | Value |
| - | - | - |
| **Computer Configuration\Administrative Templates\System\Credentials Delegation** | Remote host allows delegation of non-exportable credentials | Enabled |
| **Computer Configuration\Administrative Templates\System\Credentials Delegation** | Remote host allows delegation of nonexportable credentials | Enabled |
[!INCLUDE [gpo-settings-2](../../../includes/configure/gpo-settings-2.md)]
@ -128,22 +129,22 @@ reg.exe add HKLM\SYSTEM\CurrentControlSet\Control\Lsa /v DisableRestrictedAdmin
---
## Enable delegation of credentials on the clients
## Configure delegation of credentials on the clients
To enable Remote Credential Guard on the clients, you can configure a policy that enbables delegation of credentials to the remote hosts.
To enable Remote Credential Guard on the clients, you can configure a policy that prevents the delegation of credentials to the remote hosts.
> [!TIP]
> If you don't want to configure your clients to use Remote Credential Guard, you can use the following command to turn Remote Credential Guard on for a specific connection only:
> If you don't want to configure your clients to enforce Remote Credential Guard, you can use the following command to use Remote Credential Guard for a specific RDP session:
> ```cmd
> mstsc.exe /remoteGuard
> ```
The policy can have different values, depending on the level of security you want to enforce:
- **Disabled**: *Restricted Admin* and *Remote Credential Guard* mode are not enforced and the Remote Desktop Client can delegate credentials to remote devices
- **Disabled**: *Restricted Admin* and *Remote Credential Guard* mode aren't enforced and the Remote Desktop Client can delegate credentials to remote devices
- **Require Restricted Admin**: the Remote Desktop Client must use Restricted Admin to connect to remote hosts
- **Require Remote Credential Guard**: Remote Desktop Client must use Remote Credential Guard to connect to remote hosts
- **Restrict credential delegation**: Remote Desktop Client must use Restricted Admin or Remote Credential Guard to connect to remote hosts. In this configuration, Remote Credential Guard is preferred, but it will use Restricted Admin mode (if supported) when Remote Credential Guard can't be used
- **Restrict credential delegation**: Remote Desktop Client must use Restricted Admin or Remote Credential Guard to connect to remote hosts. In this configuration, Remote Credential Guard is preferred, but it uses Restricted Admin mode (if supported) when Remote Credential Guard can't be used
> [!NOTE]
> When *Restrict Credential Delegation* is enabled, the `/restrictedAdmin` switch will be ignored. Windows enforces the policy configuration instead and uses Remote Credential Guard.
@ -166,7 +167,7 @@ To configure your clients, you can use:
[!INCLUDE [intune-settings-catalog-2](../../../includes/configure/intune-settings-catalog-2.md)]
Alternatively, you can configure devices using a [custom policy](../../../includes/configure/intune-settings-catalog-1.md) with the [Policy CSP][CSP-2].
Alternatively, you can configure devices using a [custom policy][INT-3] with the [Policy CSP][CSP-2].
| Setting |
|--|
@ -197,7 +198,7 @@ To configure devices using the registry, use the following settings:
|--|
|- Key path: `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation` <br>- Key name: `AllowProtectedCreds`<br>- Type: `REG_DWORD`<br>- Value: `1`|
You can add this by running the following command from an elevated command prompt:
You can use the following command from an elevated command prompt:
```cmd
reg.exe add HKLM\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation /v AllowProtectedCreds /d 1 /t REG_DWORD
@ -214,18 +215,18 @@ Possible values for `AllowProtectedCreds` are:
## Use Remote Credential Guard
Once a client receives the policy, you can connect to the remote host using Remote Credential Guard by opening the Remote Desktop Client (`mstsc.exe`). The user will be automatically authenticated to the remote host:
Once a client receives the policy, you can connect to the remote host using Remote Credential Guard by opening the Remote Desktop Client (`mstsc.exe`). The user is automatically authenticated to the remote host:
:::image type="content" source="images/remote-credential-guard.gif" alt-text="Animation showing a client connecting to a remote server using Remote Credential Guard.":::
:::image type="content" source="images/remote-credential-guard.gif" alt-text="Animation showing a client connecting to a remote server using Remote Credential Guard with SSO.":::
> [!NOTE]
> The user must be authorized to connect to the remote server using the Remote Desktop protocol, for example by being a member of the Remote Desktop Users local group on the remote host.
## Remote Desktop connections and helpdesk support scenarios
For helpdesk support scenarios in which personnel require administrative access to provide remote assistance to computer users via Remote Desktop sessions, it isn't recommended the use of Remote Credential Guard. If an RDP session is initiated to a compromised client that an attacker already controls, the attacker could use that open channel to create sessions on the user's behalf (without compromising credentials) to access any of the user's resources for a limited time (a few hours) after the session disconnects.
For helpdesk support scenarios in which personnel requires administrative access via Remote Desktop sessions, it isn't recommended the use of Remote Credential Guard. If an RDP session is initiated to an already compromised client, the attacker could use that open channel to create sessions on the user's behalf. The attecker can access any of the user's resources for a limited time after the session disconnects.
We recommend to use Restricted Admin mode option instead. For helpdesk support scenarios, RDP connections should only be initiated using the `/RestrictedAdmin` switch. This helps to ensure that credentials and other user resources are not exposed to compromised remote hosts. For more information, see [Mitigating Pass-the-Hash and Other Credential Theft v2][PTH-1].
We recommend using Restricted Admin mode option instead. For helpdesk support scenarios, RDP connections should only be initiated using the `/RestrictedAdmin` switch. This helps to ensure that credentials and other user resources aren't exposed to compromised remote hosts. For more information, see [Mitigating Pass-the-Hash and Other Credential Theft v2][PTH-1].
To further harden security, we also recommend that you implement Windows Local Administrator Password Solution (LAPS), which automates local administrator password management. LAPS mitigates the risk of lateral escalation and other cyberattacks facilitated when customers use the same administrative local account and password combination on all their computers.