How to Connect to a Windows 8.1 or Server 2012 R2 Remote Desktop Using Restricted Admin Mode

I’d like to use Restricted Admin mode to connect to a Windows 8.1 Remote Desktop. How can I do that?

Windows 8.1 and Windows Server 2012 R2 contain a series of enhancements that are designed to protect Windows against pass-the-hash (PtH) attacks. Password hashes are stored on disk and memory, and if compromised, they can be used by hackers to gain access to systems without a user’s plaintext password.

A new feature that helps prevent this kind of attack in Windows 8.1 and Server 2012 R2 is the option to connect to Remote Desktops without sending credentials across the network. As such, credentials are never present on the remote box, which in turn reduces the risk of credential compromise if the remote machine is infected with malware designed.

Usage scenarios

An example of when Remote Desktop Restricted Admin mode might come in handy is when connecting from a trusted management PC to a remote device that doesn’t have the same level of trust, and is more likely to be infected with a virus. In this case, the helper’s credentials are less likely to be compromised when connecting to the remote machine because they are never sent or stored on the remote device.

Does that mean I don’t need to worry about using privileged credentials for everyday support work?

Despite the welcome PtH mitigations in Windows 8.1 and Remote Desktop Restricted Admin mode, it is still best practice not to use privileged credentials, such as local or domain administrator accounts, for everyday computing tasks or supporting other users on your network.

Sponsored Content

What is “Inside Microsoft Teams”?

“Inside Microsoft Teams” is a webcast series, now in Season 4 for IT pros hosted by Microsoft Product Manager, Stephen Rose. Stephen & his guests comprised of customers, partners, and real-world experts share best practices of planning, deploying, adopting, managing, and securing Teams. You can watch any episode at your convenience, find resources, blogs, reviews of accessories certified for Teams, bonus clips, and information regarding upcoming live broadcasts. Our next episode, “Polaris Inc., and Microsoft Teams- Reinventing how we work and play” will be airing on Oct. 28th from 10-11am PST.

Restricted Admin mode: Remote Desktop connection Windows 8.1 Server 2012 R2

Connect using Restricted Admin mode

Restricted Admin mode is implemented as a switch from the command line. All you need to do is make sure you are connecting to and from Windows 8.1 or Server 2012 R2. When the /restrictedadmin switch is used, Windows tries to log you on to the remote box interactively. One disadvantage is that you might not be able to hop to other PCs or networked services.

Open a command prompt, type mstsc /restrictedadmin and press ENTER to connect to a remote Windows 8.1 or Server 2012 R2 device using Restricted Admin mode. Once the Remote Desktop Connection app has opened, you can connect as normal.

Related Topics:

IT consultant, Contributing Editor @PetriFeed, and trainer @Pluralsight. All about Microsoft, Office 365, Azure, and Windows Server.
External Sharing and Guest User Access in Microsoft 365 and Teams

This eBook will dive into policy considerations you need to make when creating and managing guest user access to your Teams network, as well as the different layers of guest access and the common challenges that accompany a more complicated Microsoft 365 infrastructure.

You will learn:

  • Who should be allowed to be invited as a guest?
  • What type of guests should be able to access files in SharePoint and OneDrive?
  • How should guests be offboarded?
  • How should you determine who has access to sensitive information in your environment?

Sponsored by: