Windows 8.1 and Windows Server 2012 R2 contain a series of enhancements that are designed to protect Windows against pass-the-hash (PtH) attacks. Password hashes are stored on disk and memory, and if compromised, they can be used by hackers to gain access to systems without a user’s plaintext password.
A new feature that helps prevent this kind of attack in Windows 8.1 and Server 2012 R2 is the option to connect to Remote Desktops without sending credentials across the network. As such, credentials are never present on the remote box, which in turn reduces the risk of credential compromise if the remote machine is infected with malware designed.
An example of when Remote Desktop Restricted Admin mode might come in handy is when connecting from a trusted management PC to a remote device that doesn’t have the same level of trust, and is more likely to be infected with a virus. In this case, the helper’s credentials are less likely to be compromised when connecting to the remote machine because they are never sent or stored on the remote device.
Despite the welcome PtH mitigations in Windows 8.1 and Remote Desktop Restricted Admin mode, it is still best practice not to use privileged credentials, such as local or domain administrator accounts, for everyday computing tasks or supporting other users on your network.
Restricted Admin mode is implemented as a switch from the command line. All you need to do is make sure you are connecting to and from Windows 8.1 or Server 2012 R2. When the /restrictedadmin switch is used, Windows tries to log you on to the remote box interactively. One disadvantage is that you might not be able to hop to other PCs or networked services.
Open a command prompt, type mstsc /restrictedadmin and press ENTER to connect to a remote Windows 8.1 or Server 2012 R2 device using Restricted Admin mode. Once the Remote Desktop Connection app has opened, you can connect as normal.