Alle systemadministratorbrugere har en meget oprigtig bekymring – at sikre legitimationsoplysninger via en fjernskrivebordsforbindelse^(Desktop) . Dette skyldes, at malware kan finde vej til enhver anden computer via skrivebordsforbindelsen og udgøre en potentiel trussel mod dine data. Det er grunden til, at Windows OS viser en advarsel " Sørg for, at du har tillid til denne pc, tilslutning til en computer, der ikke er tillid til, kan skade din pc^{(Make sure you trust this PC, connecting to an untrusted computer might harm your PC)} ", når du forsøger at oprette forbindelse til et eksternt skrivebord.

I dette indlæg vil vi se, hvordan funktionen Remote Credential Guard , som er blevet introduceret i  Windows 10 , kan hjælpe med at beskytte legitimationsoplysninger til fjernskrivebord i Windows 10 Enterprise og Windows Server .

Remote Credential Guard i Windows 10

Funktionen er designet til at eliminere trusler, før den udvikler sig til en alvorlig situation. Det hjælper dig med at beskytte dine legitimationsoplysninger via en fjernskrivebordsforbindelse^(Desktop) ved at omdirigere Kerberos -anmodningerne tilbage til den enhed, der anmoder om forbindelsen. Det giver også single sign-on-oplevelser til Remote Desktop -sessioner.

I tilfælde af uheld, hvor målenheden er kompromitteret, bliver brugerens legitimationsoplysninger ikke afsløret, fordi både legitimationsoplysninger og legitimationsoplysninger aldrig sendes til målenheden.

Fremgangsmåden for Remote Credential Guard er meget lig den beskyttelse, som Credential Guard tilbyder på en lokal maskine, bortset fra at Credential Guard beskytter også lagrede domænelegitimationsoplysninger via Credential Manager .

En person kan bruge Remote Credential Guard på følgende måder-

1. Da administratorlegitimationsoplysninger^{(Administrator)} er yderst privilegerede, skal de beskyttes. Ved at bruge Remote Credential Guard kan du være sikker på, at dine legitimationsoplysninger er beskyttet, da det ikke tillader legitimationsoplysninger at passere over netværket til målenheden.
2. Helpdesk -medarbejdere i din organisation skal oprette forbindelse til domæneforbundne enheder, der kan blive kompromitteret. Med Remote Credential Guard kan helpdesk-medarbejderen bruge RDP til at oprette forbindelse til målenheden uden at kompromittere deres legitimationsoplysninger til malware.

Krav til hardware og software

For at muliggøre en problemfri funktion af Remote Credential Guard skal du sikre, at følgende krav til Remote Desktop -klient og -server er opfyldt.

1. Fjernskrivebordsklienten^{(Remote Desktop Client)} og serveren skal være forbundet med et Active Directory-domæne
2. Begge enheder skal enten sluttes til det samme domæne, eller fjernskrivebordsserveren^{(Remote Desktop)} skal forbindes med et domæne med et tillidsforhold til klientenhedens domæne.
3. Kerberos- godkendelsen skulle have været aktiveret.
4. Remote Desktop- klienten skal køre mindst Windows 10 , version 1607 eller Windows Server 2016 .
5. Remote Desktop Universal Windows Platform- appen understøtter ikke Remote Credential Guard , så brug den klassiske Windows -app Remote Desktop .

Aktiver Remote Credential Guard via registreringsdatabasen^(Registry)

For at aktivere Remote Credential Guard på målenheden skal du åbne Registreringseditor^{(Registry Editor)} og gå til følgende nøgle:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa

Tilføj en ny DWORD-værdi ved navn DisableRestrictedAdmin . Indstil værdien af ​​denne registreringsdatabaseindstilling til 0 for at aktivere Remote Credential Guard .

Luk Registreringseditor.

Du kan aktivere Remote Credential Guard ved at køre følgende kommando fra en forhøjet CMD:

reg add HKLM\SYSTEM\CurrentControlSet\Control\Lsa /v DisableRestrictedAdmin /d 0 /t REG_DWORD

Slå Remote Credential Guard til ved at bruge gruppepolitik^{(Group Policy)}

Det er muligt at bruge Remote Credential Guard på klientenheden ved at indstille en gruppepolitik^{(Group Policy)} eller ved at bruge en parameter med Remote Desktop Connection .

Fra Group Policy Management Console skal du navigere til Computer Configuration > Administrative Templates > System > Credentials Delegation.

Dobbeltklik nu på Begræns delegering af legitimationsoplysninger til fjernservere^{(Restrict delegation of credentials to remote servers)} for at åbne dens egenskabsboks.

Vælg nu Require Remote Credential Guard i feltet Brug følgende begrænset tilstand . ^{(Use the following restricted mode)}Den anden mulighed Begrænset Admin-tilstand^{(Restricted Admin mode)} er også til stede. Dets betydning er, at når Remote Credential Guard ikke kan bruges, vil den bruge Restricted Admin -tilstand.

Under alle omstændigheder vil hverken Remote Credential Guard eller Restricted Admin -tilstand sende legitimationsoplysninger i klartekst til Remote Desktop -serveren.

Tillad Remote Credential Guard^{(Allow Remote Credential Guard)} ved at vælge ' Foretrækker Remote Credential Guard^{(Prefer Remote Credential Guard)} ' mulighed.

Klik på OK^{(Click OK)} , og afslut Group Policy Management Console .

gpupdate.exe /force fra en kommandoprompt for at sikre, at gruppepolitikobjektet^{(Group Policy)} anvendes.

Brug Remote Credential Guard^{(Use Remote Credential Guard)} med en parameter til Remote Desktop Connection

Hvis du ikke bruger gruppepolitik^{(Group Policy)} i din organisation, kan du tilføje remoteGuard-parameteren, når du starter Remote Desktop Connection for at aktivere Remote Credential Guard for den forbindelse.

mstsc.exe /remoteGuard

Ting du bør huske på, når du bruger Remote Credential Guard

1. Remote Credential Guard kan ikke bruges til at oprette forbindelse til en enhed, der er forbundet med Azure Active Directory .
2. Remote Desktop Credential Guard fungerer kun med RDP -protokollen.
3. Remote Credential Guard inkluderer ikke enhedskrav. For eksempel, hvis du forsøger at få adgang til en filserver fra fjernbetjeningen, og filserveren kræver enhedskrav, vil adgang blive nægtet.
4. Serveren og klienten skal godkendes ved hjælp af Kerberos .
5. Domænerne skal have et tillidsforhold, eller både klienten og serveren skal være forbundet til det samme domæne.
6. Remote Desktop Gateway er ikke kompatibel med Remote Credential Guard .
7. Ingen legitimationsoplysninger er lækket til målenheden. Målenheden erhverver dog stadig Kerberos Service Tickets på egen hånd.
8. Til sidst skal du bruge legitimationsoplysningerne for den bruger, der er logget på enheden. Brug af gemte legitimationsoplysninger eller legitimationsoplysninger, der er anderledes end dine, er ikke tilladt.

Du kan læse mere om dette på Technet .

Relateret^(Related) : Sådan øges antallet af fjernskrivebordsforbindelser^{(increase the number of Remote Desktop Connections)} i Windows 10.

Remote Credential Guard protects Remote Desktop credentials

All system administrator uѕers haνe one very genuine concern – securing credentials ovеr a Remote Desktop connectіon. This is beсausе malware can find its way to any other computer ovеr the desktop connection and pose a potential threat to your data. That is why Windows OS flaѕhеs a warning “Make sure you trust this PC, connecting to an untrusted computer might harm your PC” when you try to connect to a remote desktop.

In this post, we will see how the Remote Credential Guard feature, which has been introduced in Windows 10, can help protect remote desktop credentials in Windows 10 Enterprise and Windows Server.

Remote Credential Guard in Windows 10

The feature is designed to eliminate threats before it develops into a serious situation. It helps you protect your credentials over a Remote Desktop connection by redirecting the Kerberos requests back to the device that’s requesting the connection. It also provides single sign-on experiences for Remote Desktop sessions.

In the event of any misfortune where the target device is compromised, credentials of the user are not exposed because both credential and credential derivatives are never sent to the target device.

The modus operandi of Remote Credential Guard is very similar to the protection offered by Credential Guard on a local machine except for Credential Guard also protects stored domain credentials via the Credential Manager.

An individual can use Remote Credential Guard in the following ways-

1. Since Administrator credentials are highly privileged, they must be protected. By using Remote Credential Guard, you can be assured that your credentials are protected as it does not allow credentials to pass over the network to the target device.
2. Helpdesk employees in your organization must connect to domain-joined devices that could be compromised. With Remote Credential Guard, the helpdesk employee can use RDP to connect to the target device without compromising their credentials to malware.

Hardware and software requirements

To enable smooth functioning of the Remote Credential Guard, ensure the following requirements of Remote Desktop client and server are met.

1. The Remote Desktop Client and server must be joined to an Active Directory domain
2. Both devices must either joined to the same domain, or the Remote Desktop server must be joined to a domain with a trust relationship to the client device’s domain.
3. The Kerberos authentication should have been enabled.
4. The Remote Desktop client must be running at least Windows 10, version 1607 or Windows Server 2016.
5. The Remote Desktop Universal Windows Platform app doesn’t support Remote Credential Guard so, use Remote Desktop classic Windows app.

Enable Remote Credential Guard via Registry

To enable Remote Credential Guard on the target device, open Registry Editor and go to the following key:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa

Add a new DWORD value named DisableRestrictedAdmin. Set the value of this registry setting to 0 to turn on Remote Credential Guard.

Close the Registry Editor.

You can enable Remote Credential Guard by running the following command from an elevated CMD:

reg add HKLM\SYSTEM\CurrentControlSet\Control\Lsa /v DisableRestrictedAdmin /d 0 /t REG_DWORD

Turn on Remote Credential Guard by using Group Policy

It is possible to use Remote Credential Guard on the client device by setting a Group Policy or by using a parameter with Remote Desktop Connection.

From the Group Policy Management Console, navigate to Computer Configuration > Administrative Templates > System > Credentials Delegation.

Now, double-click Restrict delegation of credentials to remote servers to open its Properties box.

Now in the Use the following restricted mode box, choose Require Remote Credential Guard. The other option Restricted Admin mode is also present. Its significance is that when Remote Credential Guard cannot be used, it will use Restricted Admin mode.

In any case, neither Remote Credential Guard nor Restricted Admin mode will send credentials in clear text to the Remote Desktop server.

Allow Remote Credential Guard, by choosing ‘Prefer Remote Credential Guard’ option.

Click OK and exit the Group Policy Management Console.

Now, from a command prompt, run gpupdate.exe /force to ensure that the Group Policy object is applied.

Use Remote Credential Guard with a parameter to Remote Desktop Connection

If you don’t use Group Policy in your organization, you can add the remoteGuard parameter when you start Remote Desktop Connection to turn on Remote Credential Guard for that connection.

mstsc.exe /remoteGuard

Things you should keep in mind when using Remote Credential Guard

1. Remote Credential Guard cannot be used to connect to a device that is joined to Azure Active Directory.
2. Remote Desktop Credential Guard only works with the RDP protocol.
3. Remote Credential Guard does not include device claims. For example, if you’re trying to access a file server from the remote and the file server requires device claim, access will be denied.
4. The server and client must authenticate using Kerberos.
5. The domains must have a trust relationship, or both the client and the server must be joined to the same domain.
6. Remote Desktop Gateway is not compatible with Remote Credential Guard.
7. No credentials are leaked to the target device . However, the target device still acquires the Kerberos Service Tickets on its own.
8. Lastly, you must use the credentials of the user who is logged into the device. Using saved credentials or credentials that are different than yours are not permitted.

You can read more on this at Technet.

Related: How to increase the number of Remote Desktop Connections in Windows 10.

Related posts

• Forøg antallet af fjernskrivebordsforbindelser i Windows 11/10

• Windows-tasten sidder fast efter skift fra Remote Desktop-session

• Kan ikke kopiere indsæt i fjernskrivebordssession i Windows 10

• Der er opstået godkendelsesfejl, den anmodede funktion understøttes ikke

• Opret genvej til fjernskrivebordsforbindelse i Windows 11/10

• Ret Remote Desktop Error Code 0x104 på Windows 11/10

• Kommandolinjeparametre for fjernskrivebordsforbindelser

• Fjern historieposter fra fjernskrivebordsforbindelse i Windows 11

• For at logge på eksternt skal du logge på via Remote Desktop Services

• Sådan bruger du Remote Desktop (RDP) i Windows 11/10 Home

• Skift lytteporten til Remote Desktop

• Sådan bruger du Remote Desktop-appen på Windows 10

• Fjernskrivebord-indstillingen er nedtonet på Windows 10

• Opret forbindelse til en Windows-pc fra Ubuntu ved hjælp af Remote Desktop Connection

• Bedste gratis Remote Desktop-software til Windows 10

• Ret Remote Desktop Error Code 0x204 på Windows 11/10

• Sådan sender du Ctrl+Alt+Delete i en fjernskrivebordssession

• Fanen Remote Desktop i RDWEB mangler fra Edge-browseren i Windows 10

• Sådan konfigureres fjernskrivebord via router

• Remote Desktop Services forårsager høj CPU i Windows 11/10