Let's say that I have a machine on my domain that has been compromised by an unknown attacker. If I use my domain credentials to log into that machine remotely, via RDP, does that expose my credentials to the attacker?
I know AD uses kerberos internally, but I'm unclear if the RDP client gets the kerberos ticket directly from the domain controller, or if it sends the login info to the server, which then gets the ticket.
To clarify, the computer running mstsc is Windows 7, and the possibly compromised machine is 2008 R2.
It would expose your credentials the same way as if you entered them at the terminal on the compromised machine (eg. possibly not at all, but quite possibly). Although SSPI (especially Kerberos) is supported starting from RDP6.0, usually
mstscdoes not obtain the kerberos ticket; it sends your keystrokes over the RDP connection (encrypted against the compromised machine's machine certificate), and the RDP server obtains the kerberos ticket.If you want to make sure the server can't steal your password, you need to be certain you are using kerberos to authenticate over RDP. You could also use certificate-based (that is, smart card) authentication - but bear in mind that unless configured otherwise, RDP will pass through smart card auth in many cases.
Bear in mind, also, that stealing your credentials isn't the only threat here. No matter what, the target machine will at some point have your ticket-granting ticket on it, meaning that it will be able to perform actions as you for the validity of the ticket-granting ticket. This is basically session fixation. The compromised server could also just hijack your session.
In short, no, this isn't particularly safe.
You may want to adjust your expectations, as today's attacker has more of advantage than you may think.
Any windows machine that has been compromised, anyone that has logged on to that machine, their token remains in memory until the machine is restarted. It is possible, and has been widely known for several years, to compromise the tokens in memory, and impersonate those accounts. Those compromised tokens can be used to attack other systems over the network with those credentials.
It is also worth noting that although Kerberos tokens have an expiration, windows process tokens do not - they are indefinite. This was a particularly curious design decision, given that authentication tokens do have an expiration field, but it isn't used by Windows.
http://www.mwrinfosecurity.com/assets/107/luke_jennings_mwrinfosecurity_MakingSenseOfRisk_one-token-to-rule-them-all2.ppt