Microsoft Adding 'Restricted Admin Mode' for Windows Remote Desktop
Microsoft is developing a new "restricted administration mode" security measure for use with its Remote Desktop Protocol (RDP).
Restricted admin mode is an additional safeguard against "pass the hash" attacks, where hackers attempt to gain higher administrative privileges from a single compromised machine. With the restricted admin mode turned on, administration credentials aren't sent to the target server or PC during an RDP session, according to a Microsoft blog post. It essentially blocks attackers from stealing credentials to escalate their privileges on a network.
The new security feature is being built into "upcoming OS releases," according to the blog post, but it was first described at the Black Hat security event last month. So far, Microsoft is just working on adding restricted admin mode for systems using RDP and running Windows 8.1 and Windows Server 2012 R2. It's not clear when the feature will be available, or if it will be available for older operating systems.
The feature is activated via command line when running MSTSC.EXE. Users just add a switch at the end, namely, "MSTSC /RESTRICTEDADMIN." It typically might be used by help desk IT pros connecting to workstations or by domain administrators, according to the blog post.
Microsoft describes pass-the-hash attacks as starting with malware that manages to gain the credentials on a local machine. At that point, the compromised machine is used to intercept the password hash of other machines that link to the compromised one. Microsoft defines a password hash as the mathematical equivalent to a password, according to a white paper (PDF) on the topic:
A password hash is a direct one-way mathematical derivation of the password that changes only when the user’s password changes. Depending on the authentication mechanism, either a password hash or a plaintext password can be presented as an authenticator to serve as proof of the user’s identity to the operating system. Also, an authenticator may be stored in the computer’s memory to support single sign-on (SSO) which could be subject to theft.
The attack depends on the attacker first gaining administrative access privileges on a local machine. However, from that point, an attacker could eventually compromise a network by elevating their privileges using pass-the-hash methods.
The vulnerability isn't just for Windows systems but can happen on other platforms, too, according to Microsoft's white paper. The attacks are hard to detect because the use of stolen credentials does not show up in audit logs as being invalid, according to Microsoft.
Kurt Mackie is online news editor for the 1105 Enterprise Computing Group.