You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Microsoft's RDP implementation has a feature called Restricted Admin mode that allows a user “to log on to the server as local administrator, so an attacker cannot act on behalf of the domain user” that is used to authenticate the user. As a result, if the server is compromised, the administrator logging in via this route will not risk their Kerberos (or NTLM) credentials to be stolen. Essentially this disables delegation of credentials, which is very useful if administrator need to rdesktop into a compromised machine.
on the host, and requested with command-line option
mstsc.exe /restrictedAdmin
on the client side. The meaning of that option according to \? is
/restrictedAdmin -- Connects you to the remote PC or server in Restricted Administration mode. In this mode, credentials won't be sent to the remote PC or servetr, which can protect you if you connect to a PC that has been compromised. However, connections made from the remote PC might not be authenticated by other PCs and servers, which might impact app functionality and compatibility. Implies /admin
I have not yet found an equivalent option for rdesktop 1.9.0 (Ubuntu 20.04).
Could this be added?
I suspect that implementing my closely related feature suggestion #401 (Kerberos authentication) may be a prerequisite for this option. For references that might contain the relevant protocol details, see #401.
The text was updated successfully, but these errors were encountered:
mgkuhn
changed the title
[FS]
[FS] Support for “Restricted Admin mode” (no forwarding of domain credentials)
Jun 17, 2022
Microsoft's RDP implementation has a feature called Restricted Admin mode that allows a user “to log on to the server as local administrator, so an attacker cannot act on behalf of the domain user” that is used to authenticate the user. As a result, if the server is compromised, the administrator logging in via this route will not risk their Kerberos (or NTLM) credentials to be stolen. Essentially this disables delegation of credentials, which is very useful if administrator need to rdesktop into a compromised machine.
On Windows, this feature is enabled with
on the host, and requested with command-line option
on the client side. The meaning of that option according to
\?
isI have not yet found an equivalent option for rdesktop 1.9.0 (Ubuntu 20.04).
Could this be added?
I suspect that implementing my closely related feature suggestion #401 (Kerberos authentication) may be a prerequisite for this option. For references that might contain the relevant protocol details, see #401.
The text was updated successfully, but these errors were encountered: