question

MikhailFirsov-1277 avatar image
0 Votes"
MikhailFirsov-1277 asked MikhailFirsov-1277 edited

Restricted Admin Mode vs security best practice

Hello!

The theory question regarding Restricted Admin mode:

Theory 1 (there are many other documents stating remote access for local accounts must be forbidden) :

In the initial release of the Windows 8.1 and Windows Server 2012 R2 guidance, we denied network and remote desktop logon to Local account (S-1-5-113) for all Windows client and server configurations. This blocks all remote access for all local accounts.

Theory 2:
101405-161.png


101360-162.png


Am I getting it right that following the security best practice first introduced "In the initial release of the Windows 8.1 and Windows Server 2012 R2 guidance" means you can't use the "Highest protection level" available for RDP - the Restricted Admin mode?


Thank you in advance,
Michael

windows-serverwindows-server-2019windows-10-networkwindows-server-2016windows-server-2012
161.png (31.9 KiB)
162.png (80.6 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

JiaYou-MSFT avatar image
0 Votes"
JiaYou-MSFT answered JiaYou-MSFT edited

HI MikhailFirsov-1277,

I am researching your issue, thanks for your waiting.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

MikhailFirsov-1277 avatar image
0 Votes"
MikhailFirsov-1277 answered MikhailFirsov-1277 edited

Thank you, JiaYou-MSFT!

· 5
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

HI MikhailFirsov-1277,

Thanks for your waiting and reply.

From the above document, it didn't indicate you can't use the "Highest protection level".
I think when we denied network and remote desktop logon to Local account (S-1-5-113) for all Windows client and server configurations. we can not remote access the remote server by using local account (include admin account). But if the remote server receives the local admin credentials and deny this local admin logon, I think we need Restricted Admin mode and "Highest protection level" for RDP, since "Restricted Admin mode provides a method of interactively logging on to a remote host server without transmitting your credentials to the server."



0 Votes 0 ·

HI MikhailFirsov-1277,

Is there any progress on your question?

0 Votes 0 ·

Sorry for the delay - we can't use local accounts but the domain accounts that are members of the local Administrators group can still be used to make remote connections.

Regards,
Michael

0 Votes 0 ·

HI MikhailFirsov-1277,

Thanks for your reply

S-1-5-114: NT AUTHORITY\Local account and member of Administrators group
The second SID is also added to the token if the local account is a member of the built-in Administrators group.

1.Did you set this S-1-5-114 SID in User Rights Assignments in Group Policy to "Deny access to this computer from the network" and "Deny log on through Remote Desktop Services."


2.Could you please share how many settings about "Restricted Admin Mode" applied to your rds environment?

0 Votes 0 ·
Show more comments