?
Solved

Looking for opinions on our support-user-concept for windows

Posted on 2014-01-31
7
Medium Priority
?
526 Views
Last Modified: 2014-03-17
Disclaimer: Him, who would like to participate, should at least be familiar with all of the following documents: http://www.microsoft.com/en-us/download/details.aspx?id=36036 or the whole mimikatz story http://pt.slideshare.net/ASF-WS/asfws-2012-mimikatz-par-benjamin-delpy and http://blogs.technet.com/b/kfalde/archive/2013/08/14/restricted-admin-mode-for-rdp-in-windows-8-1-2012-r2.aspx
If not, I do not think it would make sense.
--
Hi experts.

In order to keep in-house end-user support via RDP (on domain-joined vista/win7/win8.1) as secure as possible, we are about to use a new concept that I will draw a sketch of, here.

Motivation: we see the end-user systems as untrusted. Using administrative accounts on them poses the risk of credential theft. Therefore, we are trying to find a concept where credential theft would do the least potential damage. I have designed one and now I am looking for reviews.

Main idea: avoid using support accounts that have administrative privileges on more than one machine, use dedicated, per-machine-admins, instead. If those get somehow compromised, the attacker will only have admin rights on a single client machine – even this will not be a problem to us because the account will be disabled immediately after support.

Config/use case: Let’s call the machines pc1/pc2/… - we leave the local admin disabled and create domain accounts adminpc1/adminpc2/… but disable them and also configure them as not to be able to logon to a single machine (logonworkstations=zero machines)

Now when an end user of machine pc1 has a problem that needs interactive support, we will first try to solve it with his account using remoteassistance (msra.exe, not RD) inside his session, not using any admin accounts. If that is not successful because the solution would require admin rights on his machine, we activate adminpc1, set a strong, random password, enable it to log on to machine pc1 and start an RD session. Afterwards, we disable adminpc1 again. The whole process, start to end, is “single click”, I wrote a script that only needs the target machine’s name. Those accounts are used by several supporters, yes, but we do even log which supporter activates what account and connects to whom

So…If the concept is understood, what do you think?
I see no problem or flaw so far.
0
Comment
Question by:McKnife
  • 4
  • 3
7 Comments
 
LVL 84

Expert Comment

by:David Johnson, CD, MVP
ID: 39827056
If I have a rubber ducky and gain physical access to the machine I can then own the machine.
https://forums.hak5.org/index.php?/topic/16233-question-defences-against-the-ducky/
http://hak5.org/episodes/episode-709
0
 
LVL 57

Author Comment

by:McKnife
ID: 39827491
Hi.
Why not explain what that is, ve3ofa, instead of making me read it?
We have usb restrictions in place, yes.
0
 
LVL 84

Expert Comment

by:David Johnson, CD, MVP
ID: 39828292
The rubber ducky presents itself as a HID (keyboard) and is on the open market for sale
0
Rewarding opportunities for women in IT

Across the nation, technology jobs are vacant because there aren’t enough qualified professionals to fill them. With a degree from WGU, you can get the credentials it takes to become an in-demand IT professional. Plus, WGU’s IT programs include industry certifications.

 
LVL 57

Author Comment

by:McKnife
ID: 39828308
And what is the connection to rdp support? I am familiar with the ducky by now and I see no connection at all.
0
 
LVL 84

Expert Comment

by:David Johnson, CD, MVP
ID: 39828411
Your support plan seems reasonable.  I use Citrix GotoAssist and monitor my clients and sometimes I can fix something before they know it is an issue. I use this rather than remote desktop

The point that I'm trying to stress is that once someone has physical access to the machine all bets are off as to what can be on the machine.
0
 
LVL 57

Accepted Solution

by:
McKnife earned 0 total points
ID: 39828788
David, why did you bring this ducky here? It has nothing, nothing at all to do with it*.
A description of your support method could be interesting, if you stress why you prefer it.

* [ http://www.youtube.com/watch?v=JON76zbiL1o#t=421 shows, that admin credentials are used, by the way. The user in whose name the ducky runs its scripts is already admin. He can also read out any other password of user that have been connected to the computer since last startup - I know, I am familiar with mimikatz, but what's the use? The support user's password will not be worth anything for reasons given, he cannot logon anywhere but on the supported machine and only while activated]
0
 
LVL 57

Author Closing Comment

by:McKnife
ID: 39933718
Closing since no real discussion of the topic took place.
0

Featured Post

Prep for the ITIL® Foundation Certification Exam

December’s Course of the Month is now available! Enroll to learn ITIL® Foundation best practices for delivering IT services effectively and efficiently.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Considering today’s continual security threats, which affect Information technology networks and systems worldwide, it is very important to practice basic security awareness. A normal system user can secure himself or herself by following these simp…
Last month Marc Laliberte, WatchGuard’s Senior Threat Analyst, contributed reviewed the three major email authentication anti-phishing technology standards: SPF, DKIM, and DMARC. Learn more in part 2 of the series originally posted in Cyber Defense …
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question