Wednesday, August 17, 2016

Using Remote Credential Guard to Protect Remote Desktop credentials

Remote Credential Guard, introduced with Windows 10 version 1607 allows to you protect your credentials over a Remote Desktop connection towards a domain joined server or client.

This is designed for scenarios where both client & server are  joined to the same domain or a trust relationship between the domains must exist.

Scenarios as defined by Microsoft:

- Administrator credentials are highly privileged and must be protected. By using Remote Credential Guard to connect, you can be assured that your credentials are not passed over the network to the target device.

- Helpdesk employees in your organization must connect to domain-joined devices that could be compromised. With Remote Credential Guard, the helpdesk employee can use RDP to connect to the target device without compromising their credentials to malware.

It can be enabled on the client by configuring the GPO setting Restrict delegation of credentials to remote servers to Require Remote Credential Guard located in Configuration -> Administrative Templates -> System -> Credentials Delegation.image

If you don’t use GPO (but seriously who doesn't) you can use the new switch of the mstsc command by running  mstsc.exe /remoteGuard.

image

Source & more details: https://technet.microsoft.com/en-us/itpro/windows/keep-secure/remote-credential-guard

No comments:

Post a Comment