New episode!
The Scoop on Loop: The Latest Innovations Directly From Microsoft!
Darrell Webster speaks to Rebecca Keys, a Program Manager from the Microsoft Loop team.
Turn Data Protection into an MRR Growth Engine
Security for your customers, revenue for your MSP practice. Access key insights on how to scale your practice with SkyKick’s new eGuide.
MSP eGuide to Package, Sell and Deliver M365 Security Services
Based on input from our top-performing MSPs, SkyKick prepared the MSP Guide to help you navigate the security landscape.

Should You Use RDP Restricted Admin Mode?

In October 2013, I wrote about How to Connect to a Windows 8.1 or Server 2012 R2 Remote Desktop Using Restricted Admin Mode on the Petri IT Knowledgebase. Since then, Microsoft has disabled Restricted Admin Mode out-of-the-box after third-party security researchers raised concerns. In this Ask the Admin, I’ll provide you with an update on the situation.

Restricted Admin Mode was designed to help protect administrator accounts by ensuring that reusable credentials are not stored in memory on remote devices that could potentially be compromised. This includes scenarios when IT help desk staff use administrator credentials for remote PC support or when domain admin accounts are used to connect remotely to member servers.

Restricted Admin Mode for Remote Desktop Connection is now disabled by default. (Image Credit: Russell Smith)

Remote Desktop Protocol Logon Process

When connecting to a remote device using the Remote Desktop Protocol (RDP), the user authenticates to the local RDP service using the Remote Interactive Logon Process. In this context, interactive means that the user physically enters their username and password.

The RDP service then performs a network logon to the remote device to make sure the user is allowed access, but doesn’t require any further input because the Kerberos TGS ticket or NTLM hash that was created during the initial logon can be used for authentication.

Once authenticated by the RDP service on the target device, the user’s credentials are sent over a secure channel to the remote device, and an interactive logon is carried out so the user can access the remote desktop.

Restricted Admin Mode

If Restricted Admin Mode for Remote Desktop Connection is enabled from the command line in Windows 2012 R2 or Windows 8.1, and assuming that both the client and server support it, the local RDP service tries to log in to the remote device using a network logon, so the user’s credentials aren’t sent across the network.

mstsc /restrictedadmin

In cases where the target device is compromised, network logons are more secure because the user’s password is not exposed to the target machine, and no hash or token is generated on the target. But assuming the target device hasn’t been compromised, interactive logons are considered more secure, because users are required to enter their credentials, rather than relying on a hash that could have been discovered and then used in a Pass-the-Hash type of attack.

Restricted Admin Mode Limitations

When Restricted Admin Mode is enabled, the user authenticated on the remote device may not be able to connect to other remote devices, as delegation is restricted and connections to other remote devices are made using the local computer account. For example, you might not be able to connect to a network drive from the RDP session.

Enable or Disable Restricted Admin Mode

Restricted Admin Mode is disabled by default. It can be enabled by setting the DisableRestrictedAdmin value to 0 in the HKLM\System\CurrentControlSet\Control\Lsa registry key, or by enabling the Restrict delegation of credentials to remote servers setting in Group Policy under Computer Configuration > Administrative Templates > System > Credentials Delegation. For more information on working with Group Policy, see How to Create and Link a Group Policy Object in Active Directory on the Petri IT Knowledgebase.

Should I Use Restricted Admin Mode?

If you restrict remote desktop access sessions to sensitive devices so that they can only be initiated from secured workstations, you might consider enabling Restricted Admin Mode, because it is less likely that compromised password hashes can be used to authenticate via RDP when Restricted Admin Mode is enabled.

But if you follow basic security best practices, you shouldn’t need to use Restricted Admin Mode in most situations. Protect administrator credentials by starting with the following best practices:

Domain administrator accounts should only be used to log in to domain controllers (DCs), and never for administering member servers, supporting end-users’ PCs or joining servers or workstations to the domain.
Every device in your organization should be configured with a unique administrator username and password, for management purposes and remote support. This account should not be the built-in administrator account.
All administrative tasks should be performed from dedicated, secure workstations.
Log in with a standard user account.

by Russell Smith
Jan 8, 2015

Editorial Director at Petri IT Knowledgebase. Russell has more than 20 years' experience working in IT. From small business to large government IT infrastructure projects. Russell started his writing career for Windows IT Pro magazine in the early...

Streamlining SaaS Governance: How Nudge Security Simplifies Compliance and Security Management for Cloud Apps

Oct 30, 2023
Nov 03, 2023
Webinar: Learn How to Keep Critical Web Apps Online and Sensitive Data Secure

May 9, 2023
The Ultimate Guide to Web Application Firewalls (WAF)

Jun 20, 2023

Take our survey

PETRI NEWSLETTERS

Join Petri Insider

Create a free account today to participate in forum conversations, comment on posts and more.