mitigating rce over smb, using biometrics and totp on rdc on local computer

by emre - 14.03.2025



a discussion on spiceworks triggered me to do it since i needed it.

disabling administrative smb shares
first, issue command below in administrative shell session to disable administrative smb shares.
reg add HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters /f /v AutoShareWks /t REG_DWORD /d 0

then restart the machine or issue commands below.
net stop server then net start server.

as you can see, we blocked rce easily.



two important points when creating a share:
1- always share your folder with non-administrative user. don't assign any permission to your administrative user.
2- when you share a folder in your desktop, it also creates share for c:\users. we don't want that because if you don't carefully assign privileges then rce over smb is possible. always track your shares with net share command.

setting up biometrics and pin
i'm using fingerprint reader on my machine for easy log in. when you assign biometrics, you also have to assign a pin. so when fingerprint reader can't read your finger, it fallbacks authentication to pin or account password.

set up your pin by checking "include letters and symbols" option. also make sure that it's different than your account password. in this case my pin is "sadcat".



the final nail to the coffin
in this case we don't want password authentication. that's why we set up biometrics and pin.

issue command below in administrative shell session to disable password credential provider.
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers\{60b78e88-ead8-445c-9cfd-0b87f74ea6cd}" /f /v Disabled /t REG_DWORD /d 1

from now on, windows won't ask for a password on system start, unlock and logged off states.




but there's a problem. disabling password credential provider also affects rdp and smb logins. because we disabled it and it won't ask for a password to connect.



automation by task scheduler is not solving the problem so i found a super janky solution for this.

create enable.bat with contents of:
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers\{60b78e88-ead8-445c-9cfd-0b87f74ea6cd}" /f /v Disabled

create disable.bat with contents of:
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers\{60b78e88-ead8-445c-9cfd-0b87f74ea6cd}" /f /v Disabled /t REG_DWORD /d 1

then move enable.bat and disable.bat to c:\windows\system32\. now, when you need password credential provider in certain situations, just issue enable command in administrative shell session. when you done, turn off by issuing disable command.

set up multiotp credential provider for totp on rdc
for enhanced security, we are going to use multiotp credential provider for rdp.

https://github.com/multiOTP/multiOTPCredentialProvider/releases/latest

just download multiOTPCredentialProvider-x.x.x.x.zip, extract and run the setup.

key points:
1- tick "no remote server, local multiotp only".



2- i chose "only remote" on this part because it asks account password on local machine login. i don't want that since i'm using biometrics.



setup ended, let's create user and totp code.

for creating user with google authenticator:
"C:\Program Files\multiOTP\multiotp.exe" -createga yourusername seednumber

i.e: "C:\Program Files\multiOTP\multiotp.exe" -createga emre 666

for generating totp qr code:
"C:\Program Files\multiOTP\multiotp.exe" -qrcode yourusername c:\users\yourusername\desktop\qr.png

finally, it will look like this:




let's roll!

if you have questions: contact