In Windows-based computers, all authentications are processed as one of several logon types, regardless of which authentication protocol or authenticator is used. For more information, see Audit logon events.
(-) denotes when credentials are not exposed.The symbols in this table defined as follows: Reusable credentials on destination - Indicates that the following credential types will be stored in LSASS process memory on the destination computer where the specified account is logged on locally:.Logon type - Identifies the logon type initiated by the connection.Most scanners default to using network logons, though some vendors may implement non-network logons and introduce more credential theft risk.įor web authentication, use the reference from the table below: Connection method Password will also be saved as LSA secret on disk. PsExec \\server -u user -p pwd cmd Creates multiple logon sessions.Īuthenticating to Remote Desktop Gateway. New-PSSession server -Authentication Credssp -Credential cred This may not be the case if the computer is compromised.Įxample: Computer Management, Event Viewer, Device Manager, Services Remote Desktop (failure - logon type was denied)īy default, if RDP logon fails credentials are only stored briefly. If the remote desktop client is configured to share local devices and resources, those may be compromised as well. Includes hardware remote access / lights-out cards and network KVMs.Ĭlones current LSA session for local access, but uses new credentials when connecting to network resources. This table includes guidance for the most common administrative tools and connection methods: Connection method Whether credentials are exposed to potential theft on the target (remote) computer depends primarily on the windows logon type used by the connection method. In a remote administration scenario, credentials are always exposed on the source computer so a trustworthy privileged access workstation (PAW) is always recommended for sensitive or high impact accounts. This reference information is provided to help identify the risk of credential exposure associated with different administrative tools for remote administration.
0 kommentar(er)
