[FS] Support for “Restricted Admin mode” (no forwarding of domain credentials)

[mgkuhn]

Microsoft's RDP implementation has a feature called Restricted Admin mode that allows a user “to log on to the server as local administrator, so an attacker cannot act on behalf of the domain user” that is used to authenticate the user. As a result, if the server is compromised, the administrator logging in via this route will not risk their Kerberos (or NTLM) credentials to be stolen. Essentially this disables delegation of credentials, which is very useful if administrator need to rdesktop into a compromised machine.

On Windows, this feature is enabled with

reg add HKLM\SYSTEM\CurrentControlSet\Control\Lsa /v DisableRestrictedAdmin /d 0 /t REG_DWORD

on the host, and requested with command-line option

mstsc.exe /restrictedAdmin

on the client side. The meaning of that option according to \? is

/restrictedAdmin -- Connects you to the remote PC or server in Restricted Administration mode. In this mode, credentials won't be sent to the remote PC or servetr, which can protect you if you connect to a PC that has been compromised. However, connections made from the remote PC might not be authenticated by other PCs and servers, which might impact app functionality and compatibility. Implies /admin

I have not yet found an equivalent option for rdesktop 1.9.0 (Ubuntu 20.04).

Could this be added?

I suspect that implementing my closely related feature suggestion #401 (Kerberos authentication) may be a prerequisite for this option. For references that might contain the relevant protocol details, see #401.