yogalasas.blogg.se - Windows 8.1 termsrv patch

Windows 8.1 termsrv patch update#
Windows 8.1 termsrv patch Patch#
Windows 8.1 termsrv patch windows 8.1#
Windows 8.1 termsrv patch password#

Windows 8.1 termsrv patch windows 8.1#

Microsoft recommends Restricted Admin be leveraged in scenarios where help desk users RDP to a workstation to resolve an issue, ensuring the elevated credentials of the help desk are not placed on the workstation (this requires the workstation to be Windows 8.1 or higher).

Note: Restricted Admin connections impersonate the computer account for remote connections, so the connected admin may only access shares to which the computer has access.This effectively provides the option to send credentials to the system you are connecting to via RDP (credentials are stored in memory on RDP host) or a “token” is sent to the RDP host keeping the credentials off the RDP host.Using this logon type ensures that the user’s credentials do not exist on the RDP server.

Windows 8.1 termsrv patch update#

This update enables RDP to support network logon where the user’s existing logon token may be passed for authentication for RDP access.

Logging on to a RDP host in this manner places the user credentials in memory on the RDP host where they may be stolen if the host is compromised.

Windows 8.1 termsrv patch password#

As noted above before this update, RDP logon was an interactive logon, where only after the user provided the user name and password did he/she gain access.

Restricted Admin RDP mode is enhanced security to protect administrator credentials – this mode is not available for users (“Remote Desktop Users”).

Restricted Admin RDP Mode Remote Desktop Client support (mstsc /RestrictedAdmin).

Protected Users work well with “ Authentication Policies and Silos“.

A Protected User’s account cannot be delegated with Kerberos constrained or unconstrained delegation.

Kerberos refuses DES and RC4 encrpytion types for pre-authentication – the domain must be configured to support AES or higher.

Accounts in the Protected Users group may only authenticate using the Kerberos protocol, denying NTLM, Digest, and CredSSP.

The Protected Users group is created when the Domain Functional Level is set to Windows Server 2012 R2.

“Protected Users” Group Support (forces Kerberos authentication enforcing AES encryption).

Windows 8.1 termsrv patch Patch#

There was a patch released at the end of 2014 that includes the server components of Restricted Admin Mode for earlier versions of Windows. Update: KB2871997 includes the client components of Restricted Admin Mode Remote Desktop Client (mstsc /RestrictedAdmin). Also, this patch doesn’t stop Pass-the-Hash, it does help harden Windows against standard attack methods such as clear-text password dumping, RDP credential theft, and lateral movement using local Administrator accounts. Note: This post uses WDigest and Digest authentication interchangeably.

This means any service receiving network logons leverages “pass the hash” for single sign on (SSO). With this logon type, the user’s credentials are not sent to the system hosting the service therefore, the credentials are not stored on the destination system. The second type is a Network logon where the user’s credentials are transparently passed to the service on the destination system in order to gain access note that the user does not have to explicitly enter credentials, they are “passed” to the target service and verified (typically using Kerberos or NTLM). Read the Unofficial Guide to Mimikatz & Command Reference for more information on Mimikatz capability, usage, detection, and mitigation. Mimikatz is a tool that can extract credentials in LSASS protected memory as well as the local Windows Security Accounts Manager (SAM). This logon type results in the user’s credential being stored in memory, often in various forms: Kerberos tickets, NTLM hash, LM Hash (if the password is less than 15 characters long), and even the clear-text password is stored. There are two primary logon types, interactive and network.Īn Interactive logon occurs when a user enters their logon credentials at the logon prompt, typically when sitting in front of a computer (or when connecting to Terminal Services or Remote Desktop Protocol, RDP, services). The enhanced security features reduce the credential data stored in memory and supports modern authentication (Kerberos AES). In June 2014, Microsoft released KB2871997 which takes many of the enhanced security protection mechanisms built into Windows 8.1 & Windows Server 2012 R2 and “back-ports” them to Windows 7, Windows 8, Windows Server 2008R2, and Windows Server 2012.