We have a production network that is managed by a corporate IT group external to our facility.
We have a test network that is operated as a firewalled network segment.
The firewall is managed by the corporate IT group.
RDP connections are allowed across the firewall to windows workstations and VMs on the firewalled network segment.
A windows domain is running on the firewalled network segment and is managed by a local group to apply GPO based policies.
All resources on the firewalled network require firewall domain credentials for access.
One of the GPOs maps a DFS share.
When working locally.
[Production Workstation] --RDP across firewall--> [Firewalled workstation]
User on firewalled workstations/VMs can access DFS resources.
When working remotely from home, we can do the following.
[Remote Workstation] --RDP--> [Production Workstation]
[Production Workstation] --RDP across firewall--> [Firewalled workstation]
User on firewalled workstations/VMs can access DFS resources.
In order to facilitate remote users needs, a terminal server was added to the production network and is managed by the corporate IT group. Remote user would then use the following means of connecting.
[Remote Workstation] --RDP--> [Production Terminal Server]
[Production Terminal Server] --RDP across firewall--> [Firewalled workstation]
User on firewalled workstations/VMs can access DFS resources.
In early July, the 2 policies were added.
Delegation of default credentials with NTLM-only server authentication
Set policy “Allow delegating default credentials with NTLM-only server authentication” to “Disabled”
Restrict delegation of credentials to remote servers
Set policy “Restrict delegation of credentials to remote servers" to “Enabled” and restricted mode to “Require Restricted Admin”
Once these policies were in place.
[Remote Workstation] --RDP--> [Production Terminal Server]
[Production Terminal Server] --RDP across firewall--> [Firewalled workstation]
Users on firewalled workstations can no longer access DFS resources. No permissions. Unmapping everything and remapping sometimes works. Major PITA.
This has to do with passing of credentials and allowing them to be cached by machines that are members in the firewalled network domain.
In the past, we implemented the registry key
HKLM\System\CurrentControlSet\Control\LSA\DisableRestrictedAdmin to REG_DWORD 0x00000000
Firewalled domain credentials are clearly being presented to the firewalled domain in order for users to log on to resources. But how can they then be blocked from being used once access to the resource is granted?
What policy or policies can we implement to trust these credentials?
Other registry entries?