Introduction
Local user accounts accessing other computers in the Active Directory (AD) network remotely may cause huge problems due to the security risk associated with the access privilege. The most commonly cited example is that if multiple user local accounts have the same username and password, and if an attacker gains the knowledge of one of those local user account's credentials, then the attacker can potentially gain access to all the machines that have local user accounts with the same name and password. This risk is called a pass-the-hash threat, and it is a major cause for concern. Naturally, administrators try to restrict such local user accounts from accessing computers remotely through the AD network.
Before Windows 8.1 and Windows Server 2012 R2, the solutions were complicated to execute. Administrators would use Deny access to this computer from the network policy. However, this policy would work only if all the computers were listed in the policy. In Windows 8.1 and Windows Server 2012 R2, Microsoft introduced two new security groups with new security identifiers (SID). One group contained all local users, and the other contained all local administrators. Now, the process to block remote network access becomes so much easier all the administrator would only need to list the two groups of SIDs.
Note: The two security groups can also be used in Windows 7, 8, Windows Server 2008 R2, and 2012 after installing a security update name KB 2871997, released in June 2014.
Verifying the existence of the security groups
The SIDs of the new groups are as follows:
Security group
| Contains this account type
| SID
|
NT AUTHORITY\Local account
| All local user accounts
| S-1-5-113
|
NT AUTHORITY\Local account and member of Administrators group
| All local accounts with administrative privileges
| S-1-5-114
|
You can verify whether the two security groups mentioned above are present on you computer by running a PowerShell script. For verifying all local user accounts, here's the script:
$objSID = New-Object System.Security.Principal.SecurityIdentifier (“S-1-5-113”)
$objAccount = $objSID.Translate([System.Security.Principal.NTAccount])
$objAccount.Value
If the local user accounts security group exists on your computer, then the script will return NT Authority\Local account as a result.
How to block remote network access for local user accounts
Blocking remote access for local user accounts can be done using group policy objects (GPO). Here's how you can do it:
- To open the Local Group Policy Editor, go to Start, search gpedit.msc, and click on the Edit Group Policy search result. Alternatively, you can press Windows key + R to open the Run tool, type gpedit.msc, and press Enter. The Local Group Policy Editor console will open.
- In the left pane, navigate to Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment.
- In the right pane, among the list of policies, select the Deny log on through Remote Desktop Service policy. This policy is used to deny users the right to logon into a computer remotely.
- In the policy window that opens, click Add User or group, and add the security group "Local account". If you also want to add the local administrators, add the security group "Local account and member of Administrators group". Then, click OK.
- Click OK in the policy window to confirm the action.
Once this is done, you will not be able to logon to computers remotely using the local accounts.
Note: If you want to apply this policy across an AD domain, you can use the Group Policy Management Console (GPMC) instead of Local Group Policy Editor in the first step mentioned above. To open GPMC, launch Server Manager from the taskbar, or go to Start, and then click Server Manager. in the Server Manager window, go to Tools, and select Group Policy Management.