Solved

Looking for opinions on our support-user-concept for windows

Posted on 2014-01-31
7
498 Views
Last Modified: 2014-03-17
Disclaimer: Him, who would like to participate, should at least be familiar with all of the following documents: http://www.microsoft.com/en-us/download/details.aspx?id=36036 or the whole mimikatz story http://pt.slideshare.net/ASF-WS/asfws-2012-mimikatz-par-benjamin-delpy and http://blogs.technet.com/b/kfalde/archive/2013/08/14/restricted-admin-mode-for-rdp-in-windows-8-1-2012-r2.aspx
If not, I do not think it would make sense.
--
Hi experts.

In order to keep in-house end-user support via RDP (on domain-joined vista/win7/win8.1) as secure as possible, we are about to use a new concept that I will draw a sketch of, here.

Motivation: we see the end-user systems as untrusted. Using administrative accounts on them poses the risk of credential theft. Therefore, we are trying to find a concept where credential theft would do the least potential damage. I have designed one and now I am looking for reviews.

Main idea: avoid using support accounts that have administrative privileges on more than one machine, use dedicated, per-machine-admins, instead. If those get somehow compromised, the attacker will only have admin rights on a single client machine – even this will not be a problem to us because the account will be disabled immediately after support.

Config/use case: Let’s call the machines pc1/pc2/… - we leave the local admin disabled and create domain accounts adminpc1/adminpc2/… but disable them and also configure them as not to be able to logon to a single machine (logonworkstations=zero machines)

Now when an end user of machine pc1 has a problem that needs interactive support, we will first try to solve it with his account using remoteassistance (msra.exe, not RD) inside his session, not using any admin accounts. If that is not successful because the solution would require admin rights on his machine, we activate adminpc1, set a strong, random password, enable it to log on to machine pc1 and start an RD session. Afterwards, we disable adminpc1 again. The whole process, start to end, is “single click”, I wrote a script that only needs the target machine’s name. Those accounts are used by several supporters, yes, but we do even log which supporter activates what account and connects to whom

So…If the concept is understood, what do you think?
I see no problem or flaw so far.
0
Comment
Question by:McKnife
  • 4
  • 3
7 Comments
 
LVL 80

Expert Comment

by:David Johnson, CD, MVP
ID: 39827056
If I have a rubber ducky and gain physical access to the machine I can then own the machine.
https://forums.hak5.org/index.php?/topic/16233-question-defences-against-the-ducky/
http://hak5.org/episodes/episode-709
0
 
LVL 54

Author Comment

by:McKnife
ID: 39827491
Hi.
Why not explain what that is, ve3ofa, instead of making me read it?
We have usb restrictions in place, yes.
0
 
LVL 80

Expert Comment

by:David Johnson, CD, MVP
ID: 39828292
The rubber ducky presents itself as a HID (keyboard) and is on the open market for sale
0
Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

 
LVL 54

Author Comment

by:McKnife
ID: 39828308
And what is the connection to rdp support? I am familiar with the ducky by now and I see no connection at all.
0
 
LVL 80

Expert Comment

by:David Johnson, CD, MVP
ID: 39828411
Your support plan seems reasonable.  I use Citrix GotoAssist and monitor my clients and sometimes I can fix something before they know it is an issue. I use this rather than remote desktop

The point that I'm trying to stress is that once someone has physical access to the machine all bets are off as to what can be on the machine.
0
 
LVL 54

Accepted Solution

by:
McKnife earned 0 total points
ID: 39828788
David, why did you bring this ducky here? It has nothing, nothing at all to do with it*.
A description of your support method could be interesting, if you stress why you prefer it.

* [ http://www.youtube.com/watch?v=JON76zbiL1o#t=421 shows, that admin credentials are used, by the way. The user in whose name the ducky runs its scripts is already admin. He can also read out any other password of user that have been connected to the computer since last startup - I know, I am familiar with mimikatz, but what's the use? The support user's password will not be worth anything for reasons given, he cannot logon anywhere but on the supported machine and only while activated]
0
 
LVL 54

Author Closing Comment

by:McKnife
ID: 39933718
Closing since no real discussion of the topic took place.
0

Featured Post

Connect further...control easier

With the ATEN CE624, you can now enjoy a high-quality visual experience powered by HDBaseT technology and the convenience of a single Cat6 cable to transmit uncompressed video with zero latency and multi-streaming for dual-view applications where remote access is required.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Review of apps API SSL Cert policy 2 31
Can not open an anonymous level security token 2 44
Need extreme network security for home 16 84
Window update errors on VMs 9 22
Data breaches are on the rise, and companies are preparing by boosting their cybersecurity budgets. According to the Cybersecurity Market Report (http://www.cybersecurityventures.com/cybersecurity-market-report), worldwide spending on cybersecurity …
In this increasingly digital world, security hacks are no longer just a threat, but a reality. As we've witnessed with Target's big identity hack 2013, Heartbleed in 2015, and now Cloudbleed, companies and their leaders need to prepare for the unthi…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question