Windows OS Hub
  • Windows Server
    • Windows Server 2016
    • Windows Server 2012 R2
    • Windows Server 2012
    • Windows Server 2008 R2
    • SCCM
  • Active Directory
    • Group Policies
  • Windows Clients
    • Windows 10
    • Windows 8
    • Windows 7
    • MS Office
    • Outlook
  • Virtualization
    • VMWare
    • Hyper-V
  • PowerShell
  • Exchange
  • Home
  • About

Windows OS Hub

  • Windows Server
    • Windows Server 2016
    • Windows Server 2012 R2
    • Windows Server 2012
    • Windows Server 2008 R2
    • SCCM
  • Active Directory
    • Group Policies
  • Windows Clients
    • Windows 10
    • Windows 8
    • Windows 7
    • MS Office
    • Outlook
  • Virtualization
    • VMWare
    • Hyper-V
  • PowerShell
  • Exchange

 Windows OS Hub / Windows Server 2012 R2 / Blocking Remote Network Access for Local Accounts

August 4, 2016 Windows Server 2012 R2

Blocking Remote Network Access for Local Accounts

Using local accounts (including the local administrator account) to access another computer over network in Active Directory environments is not recommended on a number of reasons. The same local administrator login and password are often used on many computers resulting in putting many computers at risk if one computer is compromised (Pass-the-hash threat). Moreover, access to the network with local accounts is hard to personify and centrally monitor, since it is not registered on AD domain controllers.

To reduce risks, administrators rename the standard local account of Windows Administrator. A regular change of the administrator password to the unique on every computer in the domain (for example. using MS Local Administrator Password Solution) significantly increases the security of local administrator accounts. But this solution cannot restrict the network access for all local accounts, since there can be more than one local account on a computer.

You can restrict access for local accounts using Deny access to this computer from the network policy. But this policy requires to explicitly list all accounts, for which the access will be denied.

In Windows 8.1 and Windows Server 2012 R2, two new security groups (Well-known group) with new SIDs appeared. It means that now you don’t need to list all possible SIDs of local accounts, but use the universal SID instead.

S-1-5-113 NT AUTHORITY\Local account All local accounts
S-1-5-114 NT AUTHORITY\Local account and member of Administrators group All local accounts with the administrator privileges

These groups are added to the user access token when logging in with the local account.

Make sure that two new groups— NT AUTHORITY\Local account (SID S-1-5-113) and NT AUTHORITY\Local account and member of Administrators group (SID  S-1-5-114) – are assigned to the local administrator account:

Whoami /all

S-1-5-113 Local account

This feature can also be added to Windows 7, Windows 8, Windows Server 2008 R2 and Windows Server 2012, having installed KB 2871997 (the update as of June, 2014).

You can check if these groups are present in the system as follows:

$objSID = New-Object System.Security.Principal.SecurityIdentifier ("S-1-5-113")
$objAccount = $objSID.Translate([System.Security.Principal.NTAccount])
$objAccount.Value

If the script returns NT Authority\Local account, the new local group (with this SID) is present in the system.

NT Authority\Local account
To restrict the network access for these local accounts containing these SIDs in the token, you can use the following policies to be found in Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment.

  1. Deny access to this computer from the network
  2. Deny log on through Remote Desktop Services

Add Local account and Local account and member of Administrators group to the policy and update policy using gpupdate /force.

1.	Deny access to this computer from the network

After the policy is applied, the network access with local accounts is denied to this computer. When trying to establish an RDP session with  .\administrator account, the following error appears.

The system administrator has restricted the types of logon (network or interactive) that you may use. For assistance, contact your system administrator or technical support.

The system administrator has restricted the types of logon (network or interactive) that you may use. For assistance, contact your system administrator or technical support.
Important. It is worth to note that if the policy is applied to the computer beyond the Active Directory domain, you can access this computer only using the local console.

Thus, you can deny network access with local accounts irrespective of their names and increase the security level of the corporate environment.

3 comments
0
Facebook Twitter Google + Pinterest
previous post
Restore Missing CD/DVD Drive in Windows 10
next post
Using NTFS Disk Quotas to Set Limits for Users

Related Reading

How to Backup Hyper-V Virtual Machines?

December 10, 2019

How to Measure Storage Performance and IOPS on...

October 30, 2019

Installing SFTP (SSH FTP) Server on Windows with...

October 2, 2019

How to Approve and Decline WSUS Updates?

September 26, 2019

How to Disable NTLM Authentication in Windows Domain?

September 24, 2019

3 comments

Mahmoud zamel August 7, 2017 - 6:48 am

Thanks for the good article

Reply
TDA July 5, 2019 - 11:41 am

Great article.
And how to allow .\administrator on a specific computer only?

Reply
admin July 8, 2019 - 4:29 am

You can exclude a user or group from Group Policy Object. To do this, find you GPO you want to apply an exception on in the Group Policy Management Console. Go to the Delegation tab -> Advanced -> Add -> Select a computer name to exclude -> Select “Deny” in the “Apply group policy” permission.

Reply

Leave a Comment Cancel Reply

Categories

  • Active Directory
  • Group Policies
  • Exchange
  • Windows 10
  • Windows 8
  • Windows 7
  • Windows Server 2016
  • Windows Server 2012 R2
  • Windows Server 2008 R2
  • PowerShell
  • VMWare
  • MS Office

Follow us

woshub.com

Recent Posts

  • VMWare: How to Find VMs by IP or MAC Address?

    December 13, 2019
  • The Disk is Offline Because of Policy Set by an Administrator

    December 12, 2019
  • How to Backup Hyper-V Virtual Machines?

    December 10, 2019
  • How to Change a Network Location from Public to Private on Windows 10/Windows Server 2016?

    December 9, 2019
  • Configuring Storage Replica on Windows Server 2016

    December 4, 2019
  • Windows 10 Install Error 0x80300024

    December 2, 2019
  • Running PowerShell Script (*.PS1) as a Windows Service

    November 27, 2019
  • Creating Multiple Partitions on a USB Drive in Windows 10

    November 26, 2019
  • VMWare vSphere: Failed to Upload Files to Datastore

    November 21, 2019
  • How to Delete Old User Profiles Using GPO and PowerShell?

    November 19, 2019
  • Facebook
  • Twitter
  • RSS
Popular Posts
  • Granting Remote Access on SCManager to Non-admin Users
  • Schedule Task to Start When Another Task Finishes
  • The Remote Desktop Session Host Server Does Not Have a Remote Desktop License Server Specified
  • Fix: Server Stuck on “Preparing to Configure Windows”
  • Printer Pooling: How to Configure a Printer Pool in Windows Server 2012 R2
  • How to Run File Explorer Elevated
  • Windows.edb File Too Big – How to Reduce Size
Footer Logo

@2014 - 2018 - Windows OS Hub. All about operating systems for sysadmins


Back To Top