MicrosoftDagmarHeidecker Thank you! Great work!
Quick question, what mechanism stops someone from logging in as a "normal" non-T0 account to a non-PAW device and then using the RDP with a T0 account to login to a T0 computer?
In my research, Network Level Authentication (NLA) together with Authentication Policy would stop that, but Authentication Policy by itself would not.
NLA requires that we must request a kerberos ticket on the NON-T0 computer from where you are starting an RDP session and because we are trying to acquire a T0 user ticket on a non-T0 computer the Authentication Policy will block that.
When NLA is disabled, a kerberos ticket for a T0 user is requested on the RDP destination server, the server that we are trying to connect to, and if that is a T0 server, Authentication Policy will allow that.
TL;DR in order for everything to work as you describe in the images, NLA must be enabled on T0 servers. Was that also your finding?
