Using local accounts (including the local administrator account) to access another computer over network in Active Directory environments is not recommended on a number of reasons. The same local administrator login and password are often used on many computers resulting in putting many computers at risk if one computer is compromised (Pass-the-hash threat). Moreover, access to the network with local accounts is hard to personify and centrally monitor, since it is not registered on AD domain controllers.
To reduce risks, administrators rename the standard local account of Windows Administrator. A regular change of the administrator password to the unique on every computer in the domain (for example. using MS Local Administrator Password Solution) significantly increases the security of local administrator accounts. But this solution cannot restrict the network access for all local accounts, since there can be more than one local account on a computer.
You can restrict access for local accounts using Deny access to this computer from the network policy. But this policy requires to explicitly list all accounts, for which the access will be denied.
In Windows 8.1 and Windows Server 2012 R2, two new security groups (Well-known group) with new SIDs appeared. It means that now you don’t need to list all possible SIDs of local accounts, but use the universal SID instead.
| S-1-5-113 | NT AUTHORITY\Local account | All local accounts |
| S-1-5-114 | NT AUTHORITY\Local account and member of Administrators group | All local accounts with the administrator privileges |
These groups are added to the user access token when logging in with the local account.
Make sure that two new groups— NT AUTHORITY\Local account (SID S-1-5-113) and NT AUTHORITY\Local account and member of Administrators group (SID S-1-5-114) – are assigned to the local administrator account:
Whoami /all
This feature can also be added to Windows 7, Windows 8, Windows Server 2008 R2 and Windows Server 2012, having installed KB 2871997 (the update as of June, 2014).
You can check if these groups are present in the system as follows:
$objSID = New-Object System.Security.Principal.SecurityIdentifier ("S-1-5-113")
$objAccount = $objSID.Translate([System.Security.Principal.NTAccount])
$objAccount.Value
If the script returns NT Authority\Local account, the new local group (with this SID) is present in the system.
To restrict the network access for these local accounts containing these SIDs in the token, you can use the following policies to be found in Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment.
- Deny access to this computer from the network
- Deny log on through Remote Desktop Services
Add Local account and Local account and member of Administrators group to the policy and update policy using gpupdate /force.
After the policy is applied, the network access with local accounts is denied to this computer. When trying to establish an RDP session with .\administrator account, the following error appears.
Thus, you can deny network access with local accounts irrespective of their names and increase the security level of the corporate environment.
3 comments
Thanks for the good article
Great article.
And how to allow .\administrator on a specific computer only?
You can exclude a user or group from Group Policy Object. To do this, find you GPO you want to apply an exception on in the Group Policy Management Console. Go to the Delegation tab -> Advanced -> Add -> Select a computer name to exclude -> Select “Deny” in the “Apply group policy” permission.