25Ara
Security of RDP directly with administrative account VS RDP with normal account and elevation with administrative account
I've had some arguments with people about securing RDP access to servers:
- Team 1 (including me) suggests that direct RDP access should only be possible with an (separate) administrative account.
- Team A suggests that one should do RDP login with a normal privilege account and then escalate privileges locally (run as administrator, UAC etc...). Their main point being the need for 2 authentications being more secure. In this case administrative accounts would have privileges (user logon rights) set to reject RDP/Network login.
Assuming an average company (Active Directory) with average security (bad/default), I'd say (I have some RT/BT excercise experience) that Team A's approach has a lot more risks.
- I'll give that using Team 1's approach, AD doesn't have MFA (SmartCards are not widely deployed) so leak of single administrative login will directly result in compromise.
- Team A's approach will might stall the attacker and result in local server access, which can result in more attack vectors (local exploits, bypass local firewall, invoke NTLM to capture hashes, persistence...). Normal (be it the daily account or something in between daily and admin account) credentials are likely much more widely used so much more likely to leak.
I'd rather not go too deep into hardening or totally alternate scenarios as many companies don't have the will or expertise to change practices (disable RDP, DSC or other configuration management, server-side app allowlisting, use another OS, credential provider MFA...) and use what's readily available and the path of least resistance.
What would you consider a more secure scenario and please explain the risks you see?