๐ Secure Bits ๐ก
๐ฃ๐น๐ฎ๐ถ๐ป๐๐ฒ๐
๐ ๐ฃ๐ฎ๐๐๐๐ผ๐ฟ๐ฑ๐ ๐ถ๐ป ๐๐ฆ๐๐ฆ๐ฆ โ ๐๐ฒ๐ณ๐ฎ๐๐น๐ ๐๐ฟ๐ฒ๐ฑ๐ฒ๐ป๐๐ถ๐ฎ๐น๐
๐ช๐ต๐ย would you enable something like this?
This has been disabled by default for years, yet I still encounter it during assessments.
๐ช๐ต๐โ
Wellโฆ thereโs a reason. (Not a good one, though.)
๐ IT admins often want ๐ฐ๐ผ๐ป๐๐ฒ๐ป๐ถ๐ฒ๐ป๐ฐ๐ฒย โ making it easy for users to log into ๐๐ฒ๐ฟ๐บ๐ถ๐ป๐ฎ๐น ๐๐ฒ๐ฟ๐๐ฒ๐ฟ๐ or launch RemoteApps without entering passwords again.
๐ ย ๐ฆ๐ผ ๐๐ต๐ฒ๐ ๐ฒ๐ป๐ฎ๐ฏ๐น๐ฒ:
Computer Configuration\Administrative Templates\System\Credentials Delegation\Allow delegating default credentials
And sure, it works. You get SSO for RDP.
๐๐๐ ๐ถ๐ ๐ฐ๐ผ๐บ๐ฒ๐ ๐๐ถ๐๐ต ๐ฎ ๐ฐ๐ผ๐๐:
๐ฅ The password gets cached during login โ and it can be extracted from LSASS in plaintext.
You might think: โBut I have Credential Guard, right?โ
Well… not always. ๐๐ฟ๐ฒ๐ฑ๐ฒ๐ป๐๐ถ๐ฎ๐น ๐๐๐ฎ๐ฟ๐ฑ ๐ฐ๐ฎ๐ป ๐ต๐ฒ๐น๐ฝ โ but itโs not guaranteed to be active across your environment.
๐ช๐ต๐ ๐ป๐ผ๐?
โ ๏ธ Older operating systems
โ ๏ธ Virtual machines without Secure Boot
โ ๏ธ And the big trap I see far too often: Windows Professional edition
Did you knowย ๐๐ฟ๐ฒ๐ฑ๐ฒ๐ป๐๐ถ๐ฎ๐น ๐๐๐ฎ๐ฟ๐ฑ ๐ถ๐๐ปโ๐ ๐ฎ๐๐ฎ๐ถ๐น๐ฎ๐ฏ๐น๐ฒ ๐ผ๐ป ๐ช๐ถ๐ป๐ฑ๐ผ๐๐ ๐ฃ๐ฟ๐ผ?
So even if you think youโre covered, you might not be.
๐ย ๐ง๐ต๐ฒ ๐๐ฒ๐๐๐ฒ๐ฟ ๐ข๐ฝ๐๐ถ๐ผ๐ป?
If your goal is secure SSO for RDP โ this isnโt it. Use ๐ฅ๐ฒ๐บ๐ผ๐๐ฒ ๐๐ฟ๐ฒ๐ฑ๐ฒ๐ป๐๐ถ๐ฎ๐น ๐๐๐ฎ๐ฟ๐ฑ ๐ถ๐ป๐๐๐ฒ๐ฎ๐ฑ. It gives you the same SSO experience โ but without caching the password in memory.
๐ ๐๐ป๐ฎ๐ฏ๐น๐ฒ ๐๐ต๐ฒ๐๐ฒ ๐ฝ๐ผ๐น๐ถ๐ฐ๐ถ๐ฒ๐:
1๏ธโฃ Computer Configuration\Administrative Templates\System\Credentials Delegation\Remote host allows delegation of nonexportable credentials
2๏ธโฃ Computer Configuration\Administrative Templates\System\Credentials Delegation\Restrict delegation of credentials to remote servers
๐ฌ Still using Default Credential Delegation?
