Solved

Looking for opinions on our support-user-concept for windows

Posted on 2014-01-31
7
478 Views
Last Modified: 2014-03-17
Disclaimer: Him, who would like to participate, should at least be familiar with all of the following documents: http://www.microsoft.com/en-us/download/details.aspx?id=36036 or the whole mimikatz story http://pt.slideshare.net/ASF-WS/asfws-2012-mimikatz-par-benjamin-delpy and http://blogs.technet.com/b/kfalde/archive/2013/08/14/restricted-admin-mode-for-rdp-in-windows-8-1-2012-r2.aspx
If not, I do not think it would make sense.
--
Hi experts.

In order to keep in-house end-user support via RDP (on domain-joined vista/win7/win8.1) as secure as possible, we are about to use a new concept that I will draw a sketch of, here.

Motivation: we see the end-user systems as untrusted. Using administrative accounts on them poses the risk of credential theft. Therefore, we are trying to find a concept where credential theft would do the least potential damage. I have designed one and now I am looking for reviews.

Main idea: avoid using support accounts that have administrative privileges on more than one machine, use dedicated, per-machine-admins, instead. If those get somehow compromised, the attacker will only have admin rights on a single client machine – even this will not be a problem to us because the account will be disabled immediately after support.

Config/use case: Let’s call the machines pc1/pc2/… - we leave the local admin disabled and create domain accounts adminpc1/adminpc2/… but disable them and also configure them as not to be able to logon to a single machine (logonworkstations=zero machines)

Now when an end user of machine pc1 has a problem that needs interactive support, we will first try to solve it with his account using remoteassistance (msra.exe, not RD) inside his session, not using any admin accounts. If that is not successful because the solution would require admin rights on his machine, we activate adminpc1, set a strong, random password, enable it to log on to machine pc1 and start an RD session. Afterwards, we disable adminpc1 again. The whole process, start to end, is “single click”, I wrote a script that only needs the target machine’s name. Those accounts are used by several supporters, yes, but we do even log which supporter activates what account and connects to whom

So…If the concept is understood, what do you think?
I see no problem or flaw so far.
0
Comment
Question by:McKnife
  • 4
  • 3
7 Comments
 
LVL 78

Expert Comment

by:David Johnson, CD, MVP
ID: 39827056
If I have a rubber ducky and gain physical access to the machine I can then own the machine.
https://forums.hak5.org/index.php?/topic/16233-question-defences-against-the-ducky/
http://hak5.org/episodes/episode-709
0
 
LVL 53

Author Comment

by:McKnife
ID: 39827491
Hi.
Why not explain what that is, ve3ofa, instead of making me read it?
We have usb restrictions in place, yes.
0
 
LVL 78

Expert Comment

by:David Johnson, CD, MVP
ID: 39828292
The rubber ducky presents itself as a HID (keyboard) and is on the open market for sale
0
Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

 
LVL 53

Author Comment

by:McKnife
ID: 39828308
And what is the connection to rdp support? I am familiar with the ducky by now and I see no connection at all.
0
 
LVL 78

Expert Comment

by:David Johnson, CD, MVP
ID: 39828411
Your support plan seems reasonable.  I use Citrix GotoAssist and monitor my clients and sometimes I can fix something before they know it is an issue. I use this rather than remote desktop

The point that I'm trying to stress is that once someone has physical access to the machine all bets are off as to what can be on the machine.
0
 
LVL 53

Accepted Solution

by:
McKnife earned 0 total points
ID: 39828788
David, why did you bring this ducky here? It has nothing, nothing at all to do with it*.
A description of your support method could be interesting, if you stress why you prefer it.

* [ http://www.youtube.com/watch?v=JON76zbiL1o#t=421 shows, that admin credentials are used, by the way. The user in whose name the ducky runs its scripts is already admin. He can also read out any other password of user that have been connected to the computer since last startup - I know, I am familiar with mimikatz, but what's the use? The support user's password will not be worth anything for reasons given, he cannot logon anywhere but on the supported machine and only while activated]
0
 
LVL 53

Author Closing Comment

by:McKnife
ID: 39933718
Closing since no real discussion of the topic took place.
0

Featured Post

Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

Join & Write a Comment

This story has been written with permission from the scammed victim, a valued client of mine – identity protected by request.
Many companies are looking to get out of the datacenter business and to services like Microsoft Azure to provide Infrastructure as a Service (IaaS) solutions for legacy client server workloads, rather than continuing to make capital investments in h…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now