none
RDP Restricted Admin mode RRS feed

  • Question

  • Hello!

    The theory: https://docs.microsoft.com/en-us/windows/security/identity-protection/remote-credential-guard

    Can't understand multi-hop restriction for the Restricted Admin mode:

    When a user (an administrator) initiates another RDP connection (the second hop) from the remote host  to wich he/she has already connected, doesn't it create ANOTHER session wich will be using the new supplied or signed-in credentials?

    In other words:

    1) User1 connects to the remote server Server1 in the Restricted Admin mode using the Server1\Administrator account: THIS SESSION runs under the Server1 COMPUTER account (as per MS documentation above) - the first hop.

    2) User1 tries to make a new RDP connection from Server1 to Server2 (the second hop - NOT in the Restricted Admin mode!) - wouldn't this NEW rdp connection run under ANOTHER credentials - either Server1\Administrator (the signed-in user) or some other manually supplied credentials?

    Thank you in advance,

    Michael


    • Edited by MF47 Wednesday, March 14, 2018 8:29 AM
    Wednesday, March 14, 2018 8:28 AM

All replies

  • Hi,

    Based on my research and test, the next hop (without restricted admin mode) will require us to supply credential.

    Here is another article about Restricted admin mode, for your reference:

    https://blogs.technet.microsoft.com/kfalde/2013/08/14/restricted-admin-mode-for-rdp-in-windows-8-1-2012-r2/

    If there is anything else we can do for you, please feel free to post in the forum.

    Best Regards,

    William


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, March 15, 2018 8:51 AM
  • "Based on my research and test, the next hop (without restricted admin mode) will require us to supply credential." - my tests show that the next hop works perfect with the restricted admin mode as well:

    1) SQL1 is the first remote "target" (hop).

    2) Win10 - RDP client: the first connection to SQL1:

    3) The first RESTRICTED RDP session: access denied to \\dc\share because no computer accounts have access to it:

    By the way, my connection does NOT have a security padlock on the rdp bar above that means the connection was authenticated by Kerberos - (as opposed to the article above). This bar is not shown here.

    3) While logged in to SQL1 I initiate a NEW RDP connection (NOT restricted) to the second remote server - Exch1 - the second hop: that should NOT work according to the MS documentation in the begining of the post:

    As you see this (NOT restricted) RDP session does have the "security" padlock in the upper  RDP bar so its presence does not mean the connection is restricted.

     So I haven't had any problems in multiple rdp connections in spite of "Multi-hop Not allowed for user as the session is running as a local host account". Either "Multi-hop" is something else or this article is not correct.

    Regards,

    Michael




    • Edited by MF47 Tuesday, March 20, 2018 7:47 AM typo
    Thursday, March 15, 2018 3:31 PM
  • Hi,

    I am trying to involve someone familiar with this topic to further look at this issue. There might be some time delay. Appreciate your patience.

    Thank you for your understanding and support.

    Best Regards,

    William



    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, March 20, 2018 1:41 AM
  • Hi William,

    Thank you for your help!

    Tuesday, March 20, 2018 7:47 AM