Understanding and Enabling the Restricted Admin Mode for RDP

Q: What is the security value of the Restricted Admin mode for RDP that Microsoft includes in Windows 8.1 and Windows Server 2012 R2?

A: When administrators connect to a remote computer using RDP, their credentials are normally stored on the remote computer, which is a security threat if that system has been compromised. Restricted Admin mode for RDP allows administrators to connect to a remote system using RDP, without having to worry about exposing their credentials to system that might be less secure or even compromised.

To use Restricted Admin mode, an additional parameter must be added to the Remote Desktop client application at the command line, as follows:

mstsc.exe /RestrictedAdmin

Restricted Admin mode is disabled by default. You can enable it locally by changing the DisableRestrictedAdmin registry entry on the RDP client. This REG_DWORD entry is located in the HKLMSystemCurrentControlSetControlLsa registry key. If you set DisableRestrictedAdmin to the value of 0, you will enable Restricted Admin mode. When enabled, Restricted Admin mode will be used on all RDP connections from that particular RDP client.

You can also enable Restricted Admin mode centrally using the Restrict delegation of credentials to remote servers Group Policy Object (GPO) setting. This setting is located in the Computer ConfigurationAdministrative TemplatesSystemCredentials Delegation GPO container.