Solved

Looking for opinions on our support-user-concept for windows

Posted on 2014-01-31
7
485 Views
Last Modified: 2014-03-17
Disclaimer: Him, who would like to participate, should at least be familiar with all of the following documents: http://www.microsoft.com/en-us/download/details.aspx?id=36036 or the whole mimikatz story http://pt.slideshare.net/ASF-WS/asfws-2012-mimikatz-par-benjamin-delpy and http://blogs.technet.com/b/kfalde/archive/2013/08/14/restricted-admin-mode-for-rdp-in-windows-8-1-2012-r2.aspx
If not, I do not think it would make sense.
--
Hi experts.

In order to keep in-house end-user support via RDP (on domain-joined vista/win7/win8.1) as secure as possible, we are about to use a new concept that I will draw a sketch of, here.

Motivation: we see the end-user systems as untrusted. Using administrative accounts on them poses the risk of credential theft. Therefore, we are trying to find a concept where credential theft would do the least potential damage. I have designed one and now I am looking for reviews.

Main idea: avoid using support accounts that have administrative privileges on more than one machine, use dedicated, per-machine-admins, instead. If those get somehow compromised, the attacker will only have admin rights on a single client machine – even this will not be a problem to us because the account will be disabled immediately after support.

Config/use case: Let’s call the machines pc1/pc2/… - we leave the local admin disabled and create domain accounts adminpc1/adminpc2/… but disable them and also configure them as not to be able to logon to a single machine (logonworkstations=zero machines)

Now when an end user of machine pc1 has a problem that needs interactive support, we will first try to solve it with his account using remoteassistance (msra.exe, not RD) inside his session, not using any admin accounts. If that is not successful because the solution would require admin rights on his machine, we activate adminpc1, set a strong, random password, enable it to log on to machine pc1 and start an RD session. Afterwards, we disable adminpc1 again. The whole process, start to end, is “single click”, I wrote a script that only needs the target machine’s name. Those accounts are used by several supporters, yes, but we do even log which supporter activates what account and connects to whom

So…If the concept is understood, what do you think?
I see no problem or flaw so far.
0
Comment
Question by:McKnife
  • 4
  • 3
7 Comments
 
LVL 78

Expert Comment

by:David Johnson, CD, MVP
ID: 39827056
If I have a rubber ducky and gain physical access to the machine I can then own the machine.
https://forums.hak5.org/index.php?/topic/16233-question-defences-against-the-ducky/
http://hak5.org/episodes/episode-709
0
 
LVL 53

Author Comment

by:McKnife
ID: 39827491
Hi.
Why not explain what that is, ve3ofa, instead of making me read it?
We have usb restrictions in place, yes.
0
 
LVL 78

Expert Comment

by:David Johnson, CD, MVP
ID: 39828292
The rubber ducky presents itself as a HID (keyboard) and is on the open market for sale
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 53

Author Comment

by:McKnife
ID: 39828308
And what is the connection to rdp support? I am familiar with the ducky by now and I see no connection at all.
0
 
LVL 78

Expert Comment

by:David Johnson, CD, MVP
ID: 39828411
Your support plan seems reasonable.  I use Citrix GotoAssist and monitor my clients and sometimes I can fix something before they know it is an issue. I use this rather than remote desktop

The point that I'm trying to stress is that once someone has physical access to the machine all bets are off as to what can be on the machine.
0
 
LVL 53

Accepted Solution

by:
McKnife earned 0 total points
ID: 39828788
David, why did you bring this ducky here? It has nothing, nothing at all to do with it*.
A description of your support method could be interesting, if you stress why you prefer it.

* [ http://www.youtube.com/watch?v=JON76zbiL1o#t=421 shows, that admin credentials are used, by the way. The user in whose name the ducky runs its scripts is already admin. He can also read out any other password of user that have been connected to the computer since last startup - I know, I am familiar with mimikatz, but what's the use? The support user's password will not be worth anything for reasons given, he cannot logon anywhere but on the supported machine and only while activated]
0
 
LVL 53

Author Closing Comment

by:McKnife
ID: 39933718
Closing since no real discussion of the topic took place.
0

Featured Post

Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Most of the applications these days are on Cloud. Cloud is ubiquitous with many service providers in the market. Since it has many benefits such as cost reduction, software updates, remote access, disaster recovery and much more.
These days, all we hear about hacktivists took down so and so websites and retrieved thousands of user’s data. One of the techniques to get unauthorized access to database is by performing SQL injection. This article is quite lengthy which gives bas…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

929 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now