SOLVED

Does Windows Admin Center protect Domain Administrator passwords

%3CLINGO-SUB%20id%3D%22lingo-sub-2115863%22%20slang%3D%22en-US%22%3EDoes%20Windows%20Admin%20Center%20protect%20Domain%20Administrator%20passwords%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2115863%22%20slang%3D%22en-US%22%3E%3CP%3EI%20would%20like%20to%20manage%20my%20core%20Windows%202016%20domain%20controllers%20using%20Windows%20Admin%20Center.%20As%20I%20can't%20install%20WAC%20on%20a%20domain%20controller%2C%20I%20must%20use%20my%20PC%20or%20a%20nearby%20server.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMy%20question%20is%20whether%20I%20am%20exposing%20my%20domain%20admin%20credentials%20accessing%20these%20core%20domain%20controllers%20while%20using%20WAC%3F%20How%20is%20the%20password%20protected%20and%20disposed%20of%20after%20my%20WAC%20session%20ends%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20for%20your%20advice.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2115863%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EActive%20Directory%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EWAC%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2139626%22%20slang%3D%22en-US%22%3ERe%3A%20Does%20Windows%20Admin%20Center%20protect%20Domain%20Administrator%20passwords%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2139626%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F955380%22%20target%3D%22_blank%22%3E%40LL10890%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHoping%20for%20a%20reply.%3C%2FP%3E%3CP%3EThanks%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2153427%22%20slang%3D%22en-US%22%3ERe%3A%20Does%20Windows%20Admin%20Center%20protect%20Domain%20Administrator%20passwords%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2153427%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F955380%22%20target%3D%22_blank%22%3E%40LL10890%3C%2FA%3E%26nbsp%3BI%20asked%20the%20same%20question%20to%20Microsoft%20and%20below%20is%20their%20response%2C%20I%20hope%20it%20helps%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%3CP%3E%3CEM%3ECredentials%20are%20not%20stored%20-%20anywhere.%20They%20are%20ephemeral%20from%20the%20gateway%E2%80%99s%20perspective%20but%20may%20live%20encrypted%20within%20browser%20memory%20during%20the%20user%E2%80%99s%20current%20session.%26nbsp%3B%3C%2FEM%3E%3C%2FP%3E%3CP%3E%3CEM%3EThe%20UI%20sends%20credentials%20by%3A%26nbsp%3B%3C%2FEM%3E%3C%2FP%3E%3CUL%3E%3CLI%3E%3CEM%3EEncrypting%20the%20text%20with%20the%20Json%20Web%20Key%20(JWK)%20specification%20using%3A%26nbsp%3B%3C%2FEM%3E%3C%2FLI%3E%3CLI%3E%3CEM%3ERSA%20asymmetric%20encryption%26nbsp%3B%3C%2FEM%3E%3C%2FLI%3E%3CLI%3E%3CEM%3EA%202%2C048%20key%20size%26nbsp%3B%3C%2FEM%3E%3C%2FLI%3E%3CLI%3E%3CEM%3ESHA-512%20hash%26nbsp%3B%3C%2FEM%3E%3C%2FLI%3E%3C%2FUL%3E%3CP%3E%3CEM%3EThe%20encrypted%20value%20is%20sent%20in%20a%20HTTP%20header%20which%20is%20further%20encrypted%20by%20TLS%2FSSL%26nbsp%3B%3C%2FEM%3E%3C%2FP%3E%3CP%3E%3CEM%3EThe%20server%20decrypts%20the%20value%2C%20when%20present%20and%20stores%20it%20in%20memory%20using%20the%20Windows%20Data%20Protection%20API%20(DPAPI)%26nbsp%3B%3C%2FEM%3E%3C%2FP%3E%3CP%3E%3CEM%3E%26nbsp%3B%3C%2FEM%3E%3C%2FP%3E%3CP%3E%3CEM%3EWhen%20connecting%20to%20a%20resource%2C%20the%20gateway%20uses%20one%20of%20the%20following%20methods%3A%26nbsp%3B%3C%2FEM%3E%3C%2FP%3E%3CUL%3E%3CLI%3E%3CEM%3EUses%20a%20type%20of%20Windows%20logon%20that%20only%20allows%20the%20credentials%20to%20be%20used%20to%20authenticate%20against%20a%20remote%20target%26nbsp%3B%3C%2FEM%3E%3C%2FLI%3E%3C%2FUL%3E%3CP%3E%3CEM%3EScenarios%20for%20this%20include%20non-PowerShell%20paths%20such%20as%20SMB%20operations%20such%20as%20file%20uploads%20or%20downloads%26nbsp%3B%3C%2FEM%3E%3C%2FP%3E%3CUL%3E%3CLI%3E%3CEM%3EWinRM%20calls%20for%20PowerShell%2FWMI%20to%20include%20the%20credentials%20explicitly%20in%20each%20connection%26nbsp%3B%3C%2FEM%3E%3C%2FLI%3E%3C%2FUL%3E%3CP%3E%3CEM%3EThe%20connection%20protects%20the%20values%20using%20DPAPI%20on%20the%20client%20and%20target%20server%26nbsp%3B%3C%2FEM%3E%3C%2FP%3E%3CP%3E%3CEM%3EWinRM%20connections%20use%20their%20own%20compression%20and%20symmetric%20encryption%20by%20default%3C%2FEM%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

I would like to manage my core Windows 2016 domain controllers using Windows Admin Center. As I can't install WAC on a domain controller, I must use my PC or a nearby server.

 

My question is whether I am exposing my domain admin credentials accessing these core domain controllers while using WAC? How is the password protected and disposed of after my WAC session ends?

 

Thanks for your advice.

5 Replies

@LL10890 

 

Hoping for a reply.

Thanks

Best Response confirmed by LL10890 (Occasional Contributor)
Solution

@LL10890 I asked the same question to Microsoft and below is their response, I hope it helps

Credentials are not stored - anywhere. They are ephemeral from the gateway’s perspective but may live encrypted within browser memory during the user’s current session. 

The UI sends credentials by: 

  • Encrypting the text with the Json Web Key (JWK) specification using: 
  • RSA asymmetric encryption 
  • A 2,048 key size 
  • SHA-512 hash 

The encrypted value is sent in a HTTP header which is further encrypted by TLS/SSL 

The server decrypts the value, when present and stores it in memory using the Windows Data Protection API (DPAPI) 

 

When connecting to a resource, the gateway uses one of the following methods: 

  • Uses a type of Windows logon that only allows the credentials to be used to authenticate against a remote target 

Scenarios for this include non-PowerShell paths such as SMB operations such as file uploads or downloads 

  • WinRM calls for PowerShell/WMI to include the credentials explicitly in each connection 

The connection protects the values using DPAPI on the client and target server 

WinRM connections use their own compression and symmetric encryption by default 

@LL10890 Greetings, the question is? does MS Edge chrome or any browser leak your password if you save them in the browser? From what I can see when using WAC via Edge (MS Chrome version) at no point does it ask me to save my password to the browser so I assume it's a security function by default.

 

However, as WAC uses an SSL cert which is either self-signed or purchased your session is encrypted in any case. there is also the option to use InPrivate or application guard mode via the browser to add further security or you could use a sandbox version to windows 10 (if you use Win10 pro) to create a temp session for use when using WAC and once the container is closed all setting and history are reset to factory clean for next use. The sandbox option is overkill however I tested it and its all good. I have very paranoid friends. 

 

If your on-prem then you can just use the internal IP and port which isn't exposing anything or if you have a work VPN then do the same, e.g. use internal IP and port for WAC. I assume you want to use the gateway so it can be used anywhere. I invested in a SSL cert to encrypt my WAC and use InPrivate mode in MS Edge when out and about.

 

However, there are times I don't have my laptop and need to access from another location so I trust in my SSL and redirected all traffic to HTTPS by default (and use incognito mode on whatever browser I'm using external which I have no control overkill as I have an SSL).

 

But to be honest an SSL is the way go for WAC especially in a gateway for more info google or bing  "Install an SSL certificate in Windows Admin Center | 4sysops" 

 

Hope this helps, Godspeed

 
 
 

@Bryan Bishop 

Thanks for passing on that information. I can sleep better at night knowing that Microsoft has given this thought.

Larry

Thanks AvengeTheTECH. The SSL cert and sandbox are great suggestions.