?
Solved

Looking for opinions on our support-user-concept for windows

Posted on 2014-01-31
7
Medium Priority
?
520 Views
Last Modified: 2014-03-17
Disclaimer: Him, who would like to participate, should at least be familiar with all of the following documents: http://www.microsoft.com/en-us/download/details.aspx?id=36036 or the whole mimikatz story http://pt.slideshare.net/ASF-WS/asfws-2012-mimikatz-par-benjamin-delpy and http://blogs.technet.com/b/kfalde/archive/2013/08/14/restricted-admin-mode-for-rdp-in-windows-8-1-2012-r2.aspx
If not, I do not think it would make sense.
--
Hi experts.

In order to keep in-house end-user support via RDP (on domain-joined vista/win7/win8.1) as secure as possible, we are about to use a new concept that I will draw a sketch of, here.

Motivation: we see the end-user systems as untrusted. Using administrative accounts on them poses the risk of credential theft. Therefore, we are trying to find a concept where credential theft would do the least potential damage. I have designed one and now I am looking for reviews.

Main idea: avoid using support accounts that have administrative privileges on more than one machine, use dedicated, per-machine-admins, instead. If those get somehow compromised, the attacker will only have admin rights on a single client machine – even this will not be a problem to us because the account will be disabled immediately after support.

Config/use case: Let’s call the machines pc1/pc2/… - we leave the local admin disabled and create domain accounts adminpc1/adminpc2/… but disable them and also configure them as not to be able to logon to a single machine (logonworkstations=zero machines)

Now when an end user of machine pc1 has a problem that needs interactive support, we will first try to solve it with his account using remoteassistance (msra.exe, not RD) inside his session, not using any admin accounts. If that is not successful because the solution would require admin rights on his machine, we activate adminpc1, set a strong, random password, enable it to log on to machine pc1 and start an RD session. Afterwards, we disable adminpc1 again. The whole process, start to end, is “single click”, I wrote a script that only needs the target machine’s name. Those accounts are used by several supporters, yes, but we do even log which supporter activates what account and connects to whom

So…If the concept is understood, what do you think?
I see no problem or flaw so far.
0
Comment
Question by:McKnife
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
7 Comments
 
LVL 83

Expert Comment

by:David Johnson, CD, MVP
ID: 39827056
If I have a rubber ducky and gain physical access to the machine I can then own the machine.
https://forums.hak5.org/index.php?/topic/16233-question-defences-against-the-ducky/
http://hak5.org/episodes/episode-709
0
 
LVL 56

Author Comment

by:McKnife
ID: 39827491
Hi.
Why not explain what that is, ve3ofa, instead of making me read it?
We have usb restrictions in place, yes.
0
 
LVL 83

Expert Comment

by:David Johnson, CD, MVP
ID: 39828292
The rubber ducky presents itself as a HID (keyboard) and is on the open market for sale
0
When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

 
LVL 56

Author Comment

by:McKnife
ID: 39828308
And what is the connection to rdp support? I am familiar with the ducky by now and I see no connection at all.
0
 
LVL 83

Expert Comment

by:David Johnson, CD, MVP
ID: 39828411
Your support plan seems reasonable.  I use Citrix GotoAssist and monitor my clients and sometimes I can fix something before they know it is an issue. I use this rather than remote desktop

The point that I'm trying to stress is that once someone has physical access to the machine all bets are off as to what can be on the machine.
0
 
LVL 56

Accepted Solution

by:
McKnife earned 0 total points
ID: 39828788
David, why did you bring this ducky here? It has nothing, nothing at all to do with it*.
A description of your support method could be interesting, if you stress why you prefer it.

* [ http://www.youtube.com/watch?v=JON76zbiL1o#t=421 shows, that admin credentials are used, by the way. The user in whose name the ducky runs its scripts is already admin. He can also read out any other password of user that have been connected to the computer since last startup - I know, I am familiar with mimikatz, but what's the use? The support user's password will not be worth anything for reasons given, he cannot logon anywhere but on the supported machine and only while activated]
0
 
LVL 56

Author Closing Comment

by:McKnife
ID: 39933718
Closing since no real discussion of the topic took place.
0

Featured Post

Will your db performance match your db growth?

In Percona’s white paper “Performance at Scale: Keeping Your Database on Its Toes,” we take a high-level approach to what you need to think about when planning for database scalability.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Ready to get certified? Check out some courses that help you prepare for third-party exams.
With the evolution of technology, we have finally reached a point where it is possible to have home automation features like having your thermostat turn up and door lock itself when you leave, as well as a complete home security system. This is a st…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…

649 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question