![]() POSSIBLE NEGATIVE IMPACT (WHAT COULD GO WRONG?) Taking over (stale) Remote Desktop sessions to Domain Controllers.However, the Remote Desktop Protocol (RDP) also has some default settings that allow: The Remote Desktop Protocol (RDP) allows this and is enabled by default on Windows Server. However, sometimes, admins need to sign in interactively to Domain Controllers. Of course, Active Directory admins can manage most aspects of Active Directory from the Active Directory MMC snap-ins, from the Active Directory Administrative Center, Windows PowerShell module for Active Directory and other remote management tools. However, it is still present under admins themselves. To mitigate some of these risks, we can harden the Remote Desktop connections to Domain Controllers.įor organizations that have implemented the Active Directory administrative tier model, or are striving to embrace, their Privileged Access Workstations (PAWs) pose a limited risk through unhardened Remote Desktop connections towards lateral movement. ![]() Workstations that are allowed to communicate to Domain Controllers pose a risk of lateral movement.
0 Comments
Leave a Reply. |