Implementing Remote Credential Guard and Remote Admin Mode on Domain-Joined Windows 10 Clients

INF258x: Implementing Remote Credential Guard and Remote Admin mode on Domain-joined Windows 10 Clients

Estimated Time: 30 minutes

You have a domain-joined Windows 10 client computer. You plan to take advantage of the Remote Desktop Credential Guard and Restrict Admin mode to protect credentials during Remote Desktop sessions between Windows 10 client and Windows Server 2016 computers.

Objectives After completing this lab, students will be able to: • Implement Remote Credential Guard. • Implement the Restricted Admin mode. • Verify functionality of Remote Credential Guard and the Restricted Admin mode.

Lab environment The lab consists of the following computers: • LON-DC1 – a Windows Server 2016 domain controller in the adatum.com single-domain forest. • LON-SVR1 – a Windows Server 2016 domain member server • LON-CL1 – a Windows 10 Pro or Enterprise version 1607 (or newer) domain member computer with Remote Server Administration Tools for Windows 10 All computers have Windows PowerShell Remoting enabled and have Internet connectivity

Remote Desktop connections protected with Credential Guard have the following characteristics:

• Require Windows 10 version 1607 (or newer) or Windows Server 2016 • Enforce of Kerberos authentication (NTLM is not allowed). • Require that both computers (a Remote Desktop client and a Remote Desktop host) are members of the same Active Directory domain or trusted Active Directory domains (Kerberos is enforced) • Support connecting with non-Administrative credentials (as a member of the Remote Desktop Users group) • Support connecting with signed-on, supplied, or saved credentials (starting with Windows 10, version 1703) • Support single sign-on • Do not support via the Remote Desktop classic Windows app (the Universal Windows Platform app is not supported) • Mitigate Pass The Hash attacks • Mitigate exploits of Remote Desktop session credentials following session disconnects • Allow for network access in the security context of the signed-on user

Remote Desktop connections protected with Restricted Admin mode have the following characteristics:

• Require Windows 7 (or newer) or Windows Server 2008 R2 (or newer) • Support NTLM and Kerberos • Support computers that are not members of Active Directory domains • Require that accounts used establish Remote Desktop sessions are members of the Administrators group on the remote computer. • Support connectivity via the Remote Desktop classic Windows app or the Universal Windows Platform app • Support connectivity with signed-on, supplied, or saved credentials • Support single sign-on • Mitigate of Pass The Hash attacks • Mitigate exploits of Remote Desktop sessions throughout their duration (including disconnects) • Support connecting with signed-on, supplied, or saved credentials. • Provide network access in the security context of the Remote Desktop session host computer

Exercise 1: Implement Remote Desktop session protection with Remote Credential Guard In this exercise, you will implement Remote Desktop session protection with Remote Credential Guard. The main tasks for this exercise are as follows: 1. Enable Remote Credential Guard on the Remote Desktop target host. 2. Enable Remote Credential Guard on the Remote Desktop client 3. Allow Remote Desktop connections to the Remote Desktop target host 4. Establish a Remote Desktop session with Remote Credential Guard enabled. 5. Examine Remote Credential Guard protection.

 Task 1: Enable Remote Credential Guard on the Remote Desktop target host 1. Sign in to the LON-SVR1 Windows 2016 lab virtual machine with the following credentials: • USERNAME: ADATUM\Administrator • PASSWORD: Pa55w.rd 2. Right-click Start, in the Open text box, type regedit, and then click OK. 3. In the Registry Editor window, navigate to the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa registry key. 4. Create a new registry entry named DisableRestrictedAdmin of REG_DWORD type and set its value to 0. 5. Close Registry Editor.

Alternatively, you can accomplish the same result by running the following from the Administrator: Windows PowerShell elevated prompt:

Set-ItemProperty –Path HKLM:\System\CurrentControlSet\Control\Lsa –Name DisableRestrictedAdmin -Value 0 –Type DWord

 Task 2: Enable Remote Credential Guard on the Remote Desktop client 1. Sign in to the LON-DC1 Windows Server 2016 lab virtual machine with the following credentials: • USERNAME: ADATUM\Administrator • PASSWORD: Pa55w.rd 2. While signed in to LON-DC1 as ADATUM\Administrator, click Start, in the Start menu, expand the Windows Administrative Tools folder and click Active Directory Administrative Center. 3. In the Active Directory Administrative Center console, ensure that adatum (local) entry is selected, click Users, in the Tasks pane, click New and then click User. 4. In the Create User window, specify the following and click OK. • Full name: Student1 • User UPN logon: Student1 • User SamAccountName logon: Student1 • Password: Pa55w.rd • Password options: Other password options – Password never expires 5. Click OK. 6. While signed in to LON-DC1 as ADATUM\Administrator, click Start, in the Start menu, right-click Windows PowerShell, in the right-click menu, click More and click Run as administrator. 7. From the Administrator: Windows PowerShell window, type the following and press Enter:

Invoke-Command –ComputerName LON-CL1 –ScriptBlock {Add-LocalGroupMember –Group ‘Administrators’ –Member ‘ADATUM\Student1’}

This will add the newly created user to the local Administrators group on LON-CL1.

You will use the ADATUM\Student1 account during this and subsequent tasks to test the functionality of Remote Credential Guard and the Restricted Admin Mode.

8. While signed in to LON-DC1 as ADATUM\Administrator, click Start, in the Start menu, expand the Windows Administrative Tools folder and click Group Policy Management. 9. In the Group Policy Management console, expand the Forest: Adatum.com and Domains nodes, right click Adatum.com, and click the Create a GPO in this domain, and Link it here entry in the right-click menu. 10. In the New GPO dialog box, in the Name text box, type Remote Desktop Protection Policy and click OK. 11. Back in the Group Policy Management console, expand the Adatum.com node and click the Remote Desktop Protection Policy GPO. If prompted with the message box stating You have selected a link to a Group Policy Object (GPO). Except for changes to link properties, changes you make here are global to the GPO, and will impact all other locations where this GPO is linked, enable the checkbox Do not show this message again and click OK. 12. On the Scope tab of the Remote Desktop Protection Policy GPO, click Authenticated Users, click Remove and, when prompted to confirm, click OK. 13. Click Add, in the Select User, Computer, or Group dialog box, click Object Types. 14. In the Object Types dialog box, select Computers and click OK. 15. type LON-CL1 and click OK

Typically, you would use an Active Directory group containing the LON-CL1 computer account to apply Security Filtering of a GPO. We are using the LON-CL1 computer account directly for the sake of simplicity (since you would need to restart LON-CL1 in order for the group membership addition to take effect). This is actually a viable approach in a lab scenario.

16. Right-click the Remote Desktop Protection Policy GPO and, in the right-click menu click Edit. This will open Group Policy Management Editor. 17. In the Group Policy Management Editor window, navigate to Computer Configuration -> Policies - > Administrative Templates -> System -> Credentials Delegation 18. In the details pane, double-click Restrict delegation of credentials to remote servers 19. Click Enabled. 20. In the Use the following restricted mode drop-down list, select Require Remote Credential Guard.

The Restrict delegation of credentials to remote servers setting offers three choices: • Require Remote Credential Guard – enforces Credential Guard • Require Restricted Admin – enforces Restricted Admin • Restrict Credential Delegation – enforces Credential Guard if supported – otherwise enforces Restricted Admin.

21. Click OK. Leave the Group Policy Management Editor window open. You will use it in Exercise 2. 22. Sign in to the LON-CL1 Windows 10 lab virtual machine with the following credentials: • USERNAME: ADATUM\Student1 • PASSWORD: Pa55w.rd1 23. Right-click Start and then click Windows PowerShell (Admin). 24. To ensure that the group policy change is applied, from the Administrator: Windows PowerShell prompt, run the following:

gpupdate /force

 Task 3: Allow Remote Desktop connections to the Remote Desktop target host 1. On LON-SVR1, right-click Start and click Run. 2. In the Open text box, type sysdm.cpl and click OK. 3. In the System Properties dialog box, switch to the Remote tab. 4. Click Allow remote connections to this computer. 5. Click OK to acknowledge that Remote Desktop Firewall exceptions will be enabled. 6. Click Select Users. 7. In the Remote Desktop Users dialog box, click Add. 8. In the Select Users or Groups dialog box, type in Student1 and click OK. 9. Click OK to add the ADATUM\Student1 account to the local Remote Desktop Users group on LON- SRV1. 10. Click OK to allow Remote Desktop connections.

 Task 4: Establish a Remote Desktop session with Remote Credential Guard enabled. 1. On LON-CL1, right-click Start and click Run. 2. In the Open text box, type mstsc. 3. In the Remote Desktop Connection dialog box, click Show options. 4. In the Computer text box, type LON-SVR1.adatum.com. 5. Ensure that [email protected] appears in the User name text box 6. Click Connect.

In scenarios where you have not enforced the Remote Credential Guard on a remote server via Group Policy, you can add the /remoteGuard switch when running mstsc.exe to specify that you want to apply the Remote Credential Guard protection.

 Task 5: Examine Remote Credential Guard protection

In this task, you will use mimikatz in order to attempt retrieval of credentials of a user accessing the local server via Remote Desktop. Without the Remote Credential Guard protection, this attempt would be successful. Note that running mimikatz in this manner requires local Administrator privileges.

1. Switch to the console connection to LON-SVR1 (as ADATUM\Administrator).

In order to complete subsequent steps, you will need to create a Windows Defender folder exclusion. Without it, the downloaded file will be automatically deleted since it is detected as malware. In general, you obviously should avoid downloading such files or creating exclusions to facilitate their download.

2. Click Start, in the Start menu, right-click Windows PowerShell, in the right-click menu, click More and click Run as administrator. 3. From the Administrator: Windows PowerShell window, type mkdir C:\Exclusions 4. Run this command before you run Invoke-WebRequest cmdlet. You only need to set the security protocol to temporarily enable TLS 1.2. From the Administrator: Windows PowerShell window, type the following and press Enter: [Net.ServicePointManager]::SecurityProtocol =[Net.SecurityProtocolType]::Tls12 5. If you do not type this command on one line, use the line continuation character. The line continuation character in Windows PowerShell is the backtick. Type a , the backtick, and then press ENTER, for example: Invoke-WebRequest –Uri ` https://github.com/gentilkiwi/mimikatz/releases/download/2.2.0- ` 20190813/mimikatz_trunk.zip -Outfile C:\Exclusions\mimikatz_trunk.zip

Invoke-WebRequest –Uri https://github.com/gentilkiwi/mimikatz/releases/download/2.2.0- 20200519/mimikatz_trunk.zip -Outfile C:\Exclusions\mimikatz_trunk.zip

This will download the release 2.2.0-20200519 of mimikatz (mimikatz_trunk.zip) into the C:\Exclusions folder from https://github.com/gentilkiwi/mimikatz/releases 6. From the Administrator: Windows PowerShell window, type the following and press Enter:

Expand-Archive –Path C:\Exclusions\mimikatz_trunk.zip -DestinationPath C:\Exclusions -Force

This will extract the content of the downloaded archive the C:\Exclusions folder. 7. Right-click Start and click Command Prompt (Admin). 8. In the Administrator: Command Prompt window, change the current directory to C:\Exclusions\x64. 9. From the command prompt, run the following:

mimikatz privilege::debug sekurlsa::logonPasswords exit

Examine the output. It should include an entry representing the remote interactive logon of the ADATUM Student1 account. Note that the values of the Kerberos password entry, along with NTLM and SHA1 hashes are not available.

10. Switch to LON-CL1 and, in the Remote Desktop session to LON-SVR1, right-click Start and click Command Prompt. 11. At the command prompt, type klist. 12. Examine the list of Kerberos tickets. Notice that all tickets have been issued to [email protected]. 13. From the Command Prompt, run the following:

dir \\LON-CL1.adatum.com\c$

Verify that the output of the command includes the listing of the top level folders on the LON-CL1. This is expected since you are using the credentials of the [email protected] account, which is a member of the local Administrators group on LON-CL1 (and the Windows Firewall with Advanced Security allows by default inbound SMB traffic).

14. Rerun klist and note an additional Kerberos ticket issued to [email protected]. 15. Log off as [email protected] from within the Remote Desktop session to LON-SVR1. 16. Switch to the console connection to LON-SVR1 (to which you are signed in as ADATUMAdministrator). 17. On LON-SVR1, right-click Start and click Run. 18. In the Open text box, type eventvwr.msc and click OK. 19. In the Event Viewer window, click Security. 20. In the Security log, search for the events 4624 corresponding to the successful log on using the [email protected] credentials. Locate the event corresponding to the log on via the Remote Desktop. 21. Double-click on the event. 22. On the General tab, scroll down through the subject of the event. Make sure that the logon type is 10, which represents a Remote Interactive logon. 23. Note that the authentication package is set to Negotiate. 24. Close the event window.

Results: After completing this exercise, you will have implemented Remote Credential Guard and tested its functionality.

Exercise 2: Implement Remote Desktop session protection with Restricted Admin Mode In this exercise, you will implement Remote Desktop session protection with Restricted Admin Mode. The main tasks for this exercise are as follows: 1. Enable Restricted Admin Mode on the Remote Desktop target host. 2. Enable Restricted Admin Mode on the Remote Desktop client 3. Grant Administrator privileges to ADATUM\Student on the Remote Desktop target host to allow Remote Desktop connections in the Restricted Admin Mode 4. Establish a Remote Desktop session with Restricted Admin Mode enabled. 5. Examine Restricted Admin Mode protection.

 Task 1: Enable Restricted Admin Mode on the Remote Desktop target host

This task is identical to Exercise 1 Task 1, so proceed directly to Task 2 if you have already completed it.

1. Sign in to the LON-SVR1 Windows 2016 lab virtual machine with the following credentials: • USERNAME: ADATUM\Administrator • PASSWORD: Pa55w.rd 2. Right-click Start, in the Open text box, type regedit, and then click OK. 3. In the Registry Editor window, navigate to the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa registry key. 4. Create a new registry entry named DisableRestrictedAdmin of REG_DWORD type and set its value to 0. 5. Close Registry Editor.

Alternatively, you can accomplish the same result by running the following from the Administrator: Windows PowerShell elevated prompt:

Set-ItemProperty –Path HKLM:\System\CurrentControlSet\Control\Lsa –Name DisableRestrictedAdmin -Value 0 –Type DWord

 Task 2: Enable Restricted Admin Mode on the Remote Desktop client 1. While signed in to LON-DC1 as ADATUM\Administrator, in the Group Policy Management Editor window of the Remote Desktop Protection Policy GPO, ensure that you are viewing the Computer Configuration -> Policies -> Administrative Templates -> System -> Credentials Delegation node. 2. In the details pane, double-click Restrict delegation of credentials to remote servers 3. Click Enabled. 4. In the Use the following restricted mode drop-down list, select Require Restricted Admin.

5. Click OK 6. Switch to the LON-CL1 Windows 10 lab virtual machine where you are logged on as ADATUM\Student1 7. Right-click Start and then click Windows PowerShell (Admin). 8. To ensure that the group policy change is applied, from the Administrator: Windows PowerShell prompt, run the following: gpupdate /force

 Task 3: Grant Administrator privileges to ADATUM\Student on the Remote Desktop target host to allow Remote Desktop connections in the Restricted Admin Mode 1. While logged on to LON-CL1 as ADATUM\Student, right-click Start and click Run. 2. In the Open text box, type mstsc. 3. In the Remote Desktop Connection dialog box, click Show options. 4. In the Computer text box, type LON-SVR1.adatum.com. 5. Ensure that [email protected] appears in the User name text box 6. Click Connect.

The connection should fail with the error message: Account restrictions are preventing this user from signing in. For example: blank passwords aren’t allowed, sign-in times are limited, or a policy restriction has been enforced. This is expected, since with the Restricted Admin Mode enabled, it is no longer sufficient for the authenticating account to be a member of the Remote Desktop Users group. The account must be a member of the Administrators group on the target host. You will add the Student1 user account to this group in this task.

7. Switch to LON-SVR1 where you are logged on as ADATUM\Administrator, right-click Start and click Run. 8. In the Open text box, type lusrmgr.msc and click OK. 9. In the Local Users and Groups console, click Groups. 10. In the list of groups in the details pane, double-click Administrators. 11. In the Administrators Properties dialog box, click Add. 12. In the Select Users or Groups dialog box, type in Student and click OK. 13. Click OK to add the ADATUM\Student1 account to the local Remote Desktop Users group on LON- SRV1. 14. In the list of groups in the details pane, double-click Remote Desktop Users. 15. Click Adatum\Student1 and click Remove. 16. Click OK to complete the change.

 Task 4: Establish a Remote Desktop session with Restricted Admin Mode enabled. 1. On LON-CL1, right-click Start and click Run. 2. In the Open text box, type mstsc. 3. In the Remote Desktop Connection dialog box, click Show options. 4. In the Computer text box, type LON-SVR1.adatum.com. 5. In the User name text box, type [email protected]. 6. Click Connect. 7. When prompted for password, type Pa55w.rd1.

In scenarios where you have not enforced Remote Credential Guard on a remote server, you can add the /restrictedAdmin switch when running mstsc.exe to specify that you want to apply the Restricted Admin Mode protection.

 Task 5: Examine Restricted Admin Mode protection 1. Switch to the console connection to LON-SVR1 (as ADATUMAdministrator).

The steps 2 – 5 are identical to those in Exercise 1 Task 5, so proceed directly to step 10 if you have already completed them.

2. Click Start, in the Start menu, right-click Windows PowerShell, in the right-click menu, click More and click Run as administrator. 3. Run this command before you run Invoke-WebRequest cmdlet. You only need to set the security protocol to temporarily enable TLS 1.2. From the Administrator: Windows PowerShell window, type the following and press Enter: [Net.ServicePointManager]::SecurityProtocol =[Net.SecurityProtocolType]::Tls12

4. From the Administrator: Windows PowerShell window, type the following and press Enter:

Invoke-WebRequest –Uri https://github.com/gentilkiwi/mimikatz/releases/download/2.2.0- 20200519/mimikatz_trunk.zip -Outfile C:\Exclusions\mimikatz_trunk.zip

This will download the release 2.2.0-20200519 of mimikatz (mimikatz_trunk.zip) into the C:\Exclusions folder from https://github.com/gentilkiwi/mimikatz/releases 5. From the Administrator: Windows PowerShell window, type the following and press Enter:

Expand-Archive –Path C:\Exclusions\mimikatz_trunk.zip -DestinationPath C:\Exclusions -Force

This will extract the content of the downloaded archive the C:\Exclusions folder. 6. Right-click Start and click Command Prompt (Admin). 7. In the Administrator: Command Prompt window, change the current directory to C:\Exclusions. 8. From the command prompt, run the following: mimikatz privilege::debug sekurlsa::logonPasswords exit

Examine the output. It should include an entry representing the remote interactive logon of the ADATUM Student1 account. Note that the value of the Kerberos password entry is null and even though NTLM and SHA1 hashes are available, they all represent the credentials of the LON-SVR1 computer account, rather than the ADATUM\Student1 user account (as indicated by the Username : LON-SVR1$ entry).

9. Switch to LON-CL1 and, in the Remote Desktop session to LON-SVR1, right-click Start and click Command Prompt. 10. At the command prompt, type klist. 11. Examine the list of Kerberos tickets. Note that they were issued to [email protected], rather than [email protected]. 12. From the Command Prompt, run the following:

dir \\LON-CL1.adatum.com\c$

Note that this time the command displays the Access is denied error message. This is expected since you are using the credentials of the [email protected] account, which is not a member of the local Administrators group on LON-CL1. If you want to provide access to remote shares from within a Remote Desktop session in the Restricted Admin mode, you would need to grant permissions to the computer account which hosts the Remote Desktop session.

13. Log off as [email protected] from within the Remote Desktop session to LON-SVR1. 14. Switch to the console connection to LON-SVR1 (to which you are signed in as ADATUM\Administrator). 15. On LON-SVR1, right-click Start and click Run. 16. In the Open text box, type eventvwr.msc and click OK. 17. In the Event Viewer window, click Security. 18. In the Security log, search for the events 4624 corresponding to the successful log on using the [email protected] credentials. Locate the event corresponding to the log on via the Remote Desktop. 19. Double-click on the event. 20. On the General tab, scroll down through the subject of the event. Make sure that the logon type is 10, which represents a Remote Interactive logon. 21. Note that the Restricted Admin Mode is set to Yes. 22. Close the event window.

Results: After completing this exercise, you will have implemented Restricted Admin Mode and tested its functionality.