Disclaimer: Him, who would like to participate, should at least be familiar with all of the following documents: http://www.microsoft.com/en-us/download/details.aspx?id=36036
or the whole mimikatz story http://pt.slideshare.net/ASF-WS/asfws-2012-mimikatz-par-benjamin-delpy
If not, I do not think it would make sense.
In order to keep in-house end-user support via RDP (on domain-joined vista/win7/win8.1) as secure as possible, we are about to use a new concept that I will draw a sketch of, here.
Motivation: we see the end-user systems as untrusted. Using administrative accounts on them poses the risk of credential theft. Therefore, we are trying to find a concept where credential theft would do the least potential damage. I have designed one and now I am looking for reviews.
Main idea: avoid using support accounts that have administrative privileges on more than one machine, use dedicated, per-machine-admins, instead. If those get somehow compromised, the attacker will only have admin rights on a single client machine – even this will not be a problem to us because the account will be disabled immediately after support.
Config/use case: Let’s call the machines pc1/pc2/… - we leave the local admin disabled and create domain accounts adminpc1/adminpc2/… but disable them and also configure them as not to be able to logon to a single machine (logonworkstations=zero machines)
Now when an end user of machine pc1 has a problem that needs interactive support, we will first try to solve it with his account using remoteassistance (msra.exe, not RD) inside his session, not using any admin accounts. If that is not successful because the solution would require admin rights on his machine, we activate adminpc1, set a strong, random password, enable it to log on to machine pc1 and start an RD session. Afterwards, we disable adminpc1 again. The whole process, start to end, is “single click”, I wrote a script that only needs the target machine’s name. Those accounts are used by several supporters, yes, but we do even log which supporter activates what account and connects to whom
So…If the concept is understood, what do you think?
I see no problem or flaw so far.