Should You Use RDP Restricted Admin Mode?

In October 2013, I wrote about How to Connect to a Windows 8.1 or Server 2012 R2 Remote Desktop Using Restricted Admin Mode on the Petri IT Knowledgebase. Since then, Microsoft has disabled Restricted Admin Mode out-of-the-box after third-party security researchers raised concerns. In this Ask the Admin, I’ll provide you with an update on the situation.

Restricted Admin Mode was designed to help protect administrator accounts by ensuring that reusable credentials are not stored in memory on remote devices that could potentially be compromised. This includes scenarios when IT help desk staff use administrator credentials for remote PC support or when domain admin accounts are used to connect remotely to member servers.

Restricted Admin Mode for Remote Desktop Connection is now disabled by default. (Image Credit: Russell Smith)
Restricted Admin Mode for Remote Desktop Connection is now disabled by default. (Image Credit: Russell Smith)

Remote Desktop Protocol Logon Process

When connecting to a remote device using the Remote Desktop Protocol (RDP), the user authenticates to the local RDP service using the Remote Interactive Logon Process. In this context, interactive means that the user physically enters their username and password.

The RDP service then performs a network logon to the remote device to make sure the user is allowed access, but doesn’t require any further input because the Kerberos TGS ticket or NTLM hash that was created during the initial logon can be used for authentication.

Once authenticated by the RDP service on the target device, the user’s credentials are sent over a secure channel to the remote device, and an interactive logon is carried out so the user can access the remote desktop.

Restricted Admin Mode

If Restricted Admin Mode for Remote Desktop Connection is enabled from the command line in Windows 2012 R2 or Windows 8.1, and assuming that both the client and server support it, the local RDP service tries to log in to the remote device using a network logon, so the user’s credentials aren’t sent across the network.

​mstsc /restrictedadmin

In cases where the target device is compromised, network logons are more secure because the user’s password is not exposed to the target machine, and no hash or token is generated on the target. But assuming the target device hasn’t been compromised, interactive logons are considered more secure, because users are required to enter their credentials, rather than relying on a hash that could have been discovered and then used in a Pass-the-Hash type of attack.

Restricted Admin Mode Limitations

When Restricted Admin Mode is enabled, the user authenticated on the remote device may not be able to connect to other remote devices, as delegation is restricted and connections to other remote devices are made using the local computer account. For example, you might not be able to connect to a network drive from the RDP session.

Enable or Disable Restricted Admin Mode

Restricted Admin Mode is disabled by default. It can be enabled by setting the DisableRestrictedAdmin value to 0 in the HKLM\System\CurrentControlSet\Control\Lsa registry key, or by enabling the Restrict delegation of credentials to remote servers setting in Group Policy under Computer Configuration > Administrative Templates > System > Credentials Delegation. For more information on working with Group Policy, see How to Create and Link a Group Policy Object in Active Directory on the Petri IT Knowledgebase.

Should I Use Restricted Admin Mode?

If you restrict remote desktop access sessions to sensitive devices so that they can only be initiated from secured workstations, you might consider enabling Restricted Admin Mode, because it is less likely that compromised password hashes can be used to authenticate via RDP when Restricted Admin Mode is enabled.

But if you follow basic security best practices, you shouldn’t need to use Restricted Admin Mode in most situations. Protect administrator credentials by starting with the following best practices:

  1. Domain administrator accounts should only be used to log in to domain controllers (DCs), and never for administering member servers, supporting end-users’ PCs or joining servers or workstations to the domain.
  2. Every device in your organization should be configured with a unique administrator username and password, for management purposes and remote support. This account should not be the built-in administrator account.
  3. All administrative tasks should be performed from dedicated, secure workstations.
  4. Log in with a standard user account.