Microsoft Adding 'Restricted Admin Mode' for Windows Remote Desktop

Microsoft is developing a new "restricted administration mode" security measure for use with its Remote Desktop Protocol (RDP).

Restricted admin mode is an additional safeguard against "pass the hash" attacks, where hackers attempt to gain higher administrative privileges from a single compromised machine. With the restricted admin mode turned on, administration credentials aren't sent to the target server or PC during an RDP session, according to a Microsoft blog post. It essentially blocks attackers from stealing credentials to escalate their privileges on a network.

The new security feature is being built into "upcoming OS releases," according to the blog post, but it was first described at the Black Hat security event last month. So far, Microsoft is just working on adding restricted admin mode for systems using RDP and running Windows 8.1 and Windows Server 2012 R2. It's not clear when the feature will be available, or if it will be available for older operating systems.

The feature is activated via command line when running MSTSC.EXE. Users just add a switch at the end, namely, "MSTSC /RESTRICTEDADMIN." It typically might be used by help desk IT pros connecting to workstations or by domain administrators, according to the blog post.

Microsoft describes pass-the-hash attacks as starting with malware that manages to gain the credentials on a local machine. At that point, the compromised machine is used to intercept the password hash of other machines that link to the compromised one. Microsoft defines a password hash as the mathematical equivalent to a password, according to a white paper (PDF) on the topic:

A password hash is a direct one-way mathematical derivation of the password that changes only when the user’s password changes. Depending on the authentication mechanism, either a password hash or a plaintext password can be presented as an authenticator to serve as proof of the user’s identity to the operating system. Also, an authenticator may be stored in the computer’s memory to support single sign-on (SSO) which could be subject to theft.

The attack depends on the attacker first gaining administrative access privileges on a local machine. However, from that point, an attacker could eventually compromise a network by elevating their privileges using pass-the-hash methods.

The vulnerability isn't just for Windows systems but can happen on other platforms, too, according to Microsoft's white paper. The attacks are hard to detect because the use of stolen credentials does not show up in audit logs as being invalid, according to Microsoft.

About the Author

Kurt Mackie is senior news producer for 1105 Media's Converge360 group.


  • Microsoft and SAP Enhance Partnership with Teams Integration

    Microsoft and SAP this week described continuing partnership efforts on Microsoft Azure, while also planning a Microsoft Teams integration with SAP's enterprise resource planning product and other solutions.

  • Blue Squares Graphic

    Microsoft Previews Azure IoT Edge for Linux on Windows

    Microsoft announced a preview of Azure IoT Edge for Linux on Windows, which lets organizations tap Linux virtual machine processes that also work with Windows- and Azure-based processes and services.

  • How To Automate Tasks in Azure SQL Database

    Knowing how to automate tasks in the cloud will make you a more productive DBA. Here are the key concepts to understand about cloud scripting and a rundown of the best tools for automating code in Azure.

  • Microsoft Open License To End Next Year for Government and Education Groups

    Microsoft's "Open License program" will end on Jan. 1, 2022, and not just for commercial customers, but also for government, education and nonprofit organizations.

comments powered by Disqus