What is Remote Credential Guard?
Find out what Remote Credential Guard is and how to enable it.
August 29, 2016
Q. What is Remote Credential Guard?
A. Windows Server 2016 and Windows 10 Anniversary Edition and later when used together provide another layer of security with Remote Credential Guard that extends the current Credential Guard ideals of protecting authentication tickets even when using Remote Desktop Session Hosts. With Remote Credential Guard your credential never leaves your local machine (providing you are using Kerberos for authentication). This means you must connect using a hostname and not IP address. With Remote Credential Guard when Kerberos authentication is performed the RDP client fetches the host ticket for the RDP server in addition to its Ticket Granting Ticket (TGT) then presents those tickets to the RDP server however the TGT is presented in an encrypted form that the RDP server cannot decrypt. Anytime the RDP server needs to access a resource as the user it talks back to the RDP client to enable the necessary tickets to be created. This means credentials are not kept in memory of the RDP server stopping a malicious process on the RDP server harvesting credentials.
To use Remote Credential Guard you must run the following command on any RDP servers you connect to (which actually sets the disable to false and therefore enabled!):
REG ADD HKEY_LOCAL_MACHINESystemCurrentControlSetControlLsa /v DisableRestrictedAdmin /t REG_DWORD /d 0x00000000 /f
Then when connecting to the server using mstsc you must add the /remoteguard switch, for example:
mstsc /v: /remoteguard
There is also a Group Policy available at Computer Configuration - Administrative Templates - System - Credentials Delegation named Restrict delegation of credentials to remote servers that when enabled configure if remote credential guard is preferred (used if possible) or required.
You will know you are using remote credential guard as because the tickets are all local you won't be prompted for credentials with a side benefit of enabling single-sign on. If you don't use /remoteguard you will be prompted for credentials.
About the Author
You May Also Like