Windows OS Hub
  • Windows Server
    • Windows Server 2016
    • Windows Server 2012 R2
    • Windows Server 2012
    • Windows Server 2008 R2
    • SCCM
  • Active Directory
    • Group Policies
  • Windows Clients
    • Windows 10
    • Windows 8
    • Windows 7
    • MS Office
    • Outlook
  • Virtualization
    • VMWare
    • Hyper-V
  • PowerShell
  • Exchange
  • Home
  • About

Windows OS Hub

  • Windows Server
    • Windows Server 2016
    • Windows Server 2012 R2
    • Windows Server 2012
    • Windows Server 2008 R2
    • SCCM
  • Active Directory
    • Group Policies
  • Windows Clients
    • Windows 10
    • Windows 8
    • Windows 7
    • MS Office
    • Outlook
  • Virtualization
    • VMWare
    • Hyper-V
  • PowerShell
  • Exchange

 Windows OS Hub / Windows Server 2016 / Windows: Block Remote Network Access for Local User Accounts

November 25, 2020 Active DirectoryGroup PoliciesWindows 10Windows Server 2016

Windows: Block Remote Network Access for Local User Accounts

Using local accounts (including the local administrator) to access another computer over network in Active Directory environments is not recommended on a number of reasons. The same local administrator username and password are often used on many computers, which can put multiple devices at risk if a single computer is compromised (Pass-the-hash attack threat). Moreover, access to the network resources with local accounts is hard to personify and centrally monitor, because such events are not logged on AD domain controllers.

To mitigate the risk, administrators can rename the default local Windows Administrator account. To regularly change the local administrator password on all computers in the domain, you can use the MS LAPS tool (Local Administrator Password Solution). But these solutions won’t be able to solve the problem of restricting network access for all local user accounts, since there can be more than one local account on a computer.

You can restrict network access for local accounts using the Deny access to this computer from the network policy. But this policy requires to explicitly list all accounts that need to be denied network access to the computer.
In Windows 8.1 and Windows Server 2012 R2, two new well-known security groups with new SIDs appeared. One includes all local users, and the second includes all local administrators.

S-1-5-113 NT AUTHORITY\Local account All local accounts
S-1-5-114 NT AUTHORITY\Local account and member of Administrators group All local accounts with the administrator privileges

Now, to restrict access for local accounts, you can use their common SIDs.

These groups are added to the user’s access token during logon to the computer under a local account.

To make sure that in Windows 10/Windows Server 2016 your local administrator account is assigned two new security groups (NT AUTHORITY\Local account (SID S-1-5-113) and NT AUTHORITY\Local account and member of Administrators group (SID S-1-5-114)), run the command:

Whoami /all

Well-known security group NT AUTHORITY\Local account and member of Administrators group S-1-5-114

You can use these built-in local security groups on Windows 7/ 8 and Windows Server 2008 R2/ Windows Server 2012 after installing update KB 2871997 (June 2014).

You can check if these security groups exist on your Windows device by SID using the following PowerShell script:

$objSID = New-Object System.Security.Principal.SecurityIdentifier ("S-1-5-113")
$objAccount = $objSID.Translate([System.Security.Principal.NTAccount])
$objAccount.Value

powershell: get local well-known group by sid
If the script returns NT Authority\Local account, then this local group (with S-1-5-113 SID) exists on your computer.

In order to block the remote network access under local user accounts containing these SIDs in the token, you can use the settings from the GPO section Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment.

Deny Remote Desktop (RDP) Access for Local Users and Administrators

The Deny log on through Remote Desktop Services policy allows you to specify users and groups that are explicitly denied to logon to a computer remotely via Remote Desktop. You can deny RDP access to the computer for local and domain accounts.

By default, RDP access on Windows is allowed for the administrators and members of the local Remote Desktop User group.

If you want to restrict RDP connections for local users only (including local administrators), open the local GPO editor gpedit.msc (if you want to apply these settings on computers in the Active Directory domain, use the domain Group Policy Editor – gpmc.msc). Go to the GPO section User Rights Assignment and edit the Deny log on through Remote Desktop Services policy.

Add the built-in local security groups “Local account and member of Administrators group” and “Local account” to the policy. Update local Group Policy settings using the command: gpupdate /force.

GPO: Deny log on through Remote Desktop Services under local user and admin accounts

The deny policy takes precedence over the Allow log on through Remote Desktop Services policy. If a user or group is added in both policies, RDP access for that user will be denied.

Now, if you try to connect to your computer under local user via RDP, an error will appear:

To sign in remotely, you need the right to sign in through Remote Desktop Services. By default, members of the Remote Desktop Users group have this right. If the group you’re in doesn’t have this right, or if the right has been removed from the Remote Desktop Users group, you need to be granted this right manually.

To sign in remotely, you need the right to sign in through Remote Desktop Services

Deny Access to Computer from the Network

You can deny network access to a computer under local credentials with the Deny access to this computer from the network policy.

Add the local groups “Local account” and “Local account and member of Administrators group” to the Deny access to this computer from the network policy. Also, you should always deny anonymous access and access under a guest account.

For a domain environment, we recommend that you use the Deny access to this computer from the network policy to completely block access to workstations and domain-member servers under accounts from the Domain Admins and Enterprise Admins security groups. These accounts should only be used to access domain controllers. This will reduce the risks of capturing the administrative (privileged) account hash and privilege escalation.

gpo Deny access to this computer from the network for local users

After applying the policy, you won’t be able to remotely connect to this computer over the network under any local Windows account. When trying to connect to a shared network folder or map a network drive from this computer under a local account, an error will appear:

Microsoft Windows Network: Logon failure: the user has not been granted the requested logon type at this computers.

When trying to establish a Remote Desktop connection under the local administrator account (.\administrator), an error message appears.

The system administrator has restricted the types of logon (network or interactive) that you may use. For assistance, contact your system administrator or technical support.

The system administrator has restricted the types of logon (network or interactive) that you may use. For assistance, contact your system administrator or technical support.

Important. If you apply this policy to a computer that is part of a Windows workgroup (not joined to an Active Directory domain), you can only logon to that computer locally.

Deny Users to Sign in Locally to Windows 10

Using the Deny log on locally policy, you can also restrict interactive logins to the computer/server under local Windows accounts. Go to the GPO User Rights Assignment section, edit the Deny log on locally policy. Add the required local security group to it.

Be especially careful with deny Group Policy settings. If configured incorrectly, you may lose access to computers. As a last resort, you can reset your local GPO settings like this.

gpo: deny log on locally for local windows users

Now, if a user or administrator tries to logon to the computer under a local account, a message will appear.

The sign-in method you are trying to use isn’t allowed. For more info, contact your network administrator.

The sign-in method you are trying to use isn’t allowed windows 10

The same message will appear if you have restricted the list of computers allowed to login in the user account settings in AD.

Thus, you can deny network access under local Windows accounts to computers and domain-member servers, and increase the security of the corporate environment.

6 comments
1
Facebook Twitter Google + Pinterest
previous post
Zabbix Installation and Basic Configuration Guide
next post
Copy Files or Folders to All Computers via GPO

Related Reading

How to Configure and Connect an iSCSI Disk...

January 26, 2021

Preparing Windows for Adobe Flash End of Life...

January 22, 2021

Checking User Logon History in Active Directory Domain...

January 22, 2021

How to Disable/Remove Thumbs.db File on Network Folders...

January 21, 2021

USB Device Passthrough (Redirect) to Hyper-V Virtual Machine

January 15, 2021

6 comments

Mahmoud zamel August 7, 2017 - 6:48 am

Thanks for the good article

Reply
TDA July 5, 2019 - 11:41 am

Great article.
And how to allow .\administrator on a specific computer only?

Reply
admin July 8, 2019 - 4:29 am

You can exclude a user or group from Group Policy Object. To do this, find you GPO you want to apply an exception on in the Group Policy Management Console. Go to the Delegation tab -> Advanced -> Add -> Select a computer name to exclude -> Select “Deny” in the “Apply group policy” permission.

Reply
sasa December 2, 2020 - 8:22 pm

What if I want to allow only local administrator (i.e. RID-500 account) to logon over network and to deny logon over network to all other local (and local only) accounts ? There is no SID for “every local account but RID-500 admin” so I presume it is not an easy job to do.

Reply
Antonio December 24, 2020 - 9:48 am

Thanks

Reply
Elizabeth January 4, 2021 - 12:35 pm

Wonderful article. In order to block the remote network access under local user accounts containing these SIDs in the token, you can use the settings from the GPO section Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment.

Reply

Leave a Comment Cancel Reply

Categories

  • Active Directory
  • Group Policies
  • Exchange
  • Windows 10
  • Windows 8
  • Windows 7
  • Windows Server 2016
  • Windows Server 2012 R2
  • Windows Server 2008 R2
  • PowerShell
  • VMWare
  • MS Office

Recent Posts

  • How to Configure and Connect an iSCSI Disk on Windows Server?

    January 26, 2021
  • Preparing Windows for Adobe Flash End of Life on December 31, 2020

    January 22, 2021
  • Checking User Logon History in Active Directory Domain with PowerShell

    January 22, 2021
  • How to Disable/Remove Thumbs.db File on Network Folders in Windows?

    January 21, 2021
  • MS SQL Server 2019 Installation Guide: Basic Settings and Recommendations

    January 19, 2021
  • USB Device Passthrough (Redirect) to Hyper-V Virtual Machine

    January 15, 2021
  • Windows 10: No Internet Connection After Connecting to VPN Server

    January 13, 2021
  • Updating the PowerShell Version on Windows

    December 24, 2020
  • How to Enable and Configure User Disk Quotas in Windows?

    December 23, 2020
  • Restoring Deleted Active Directory Objects/Users

    December 21, 2020

Follow us

woshub.com
  • Facebook
  • Twitter
  • RSS
Popular Posts
  • How to Configure Google Chrome Using Group Policy ADMX Templates?
  • Allow RDP Access to Domain Controller for Non-admin Users
  • Get-ADUser: Getting Active Directory Users Info via PowerShell
  • Get-ADComputer: Find Computer Details in Active Directory with PowerShell
  • How to Find the Source of Account Lockouts in Active Directory domain?
  • Changing Desktop Background Wallpaper in Windows through GPO
  • Restricting Group Policy with WMI Filtering
Footer Logo

@2014 - 2018 - Windows OS Hub. All about operating systems for sysadmins


Back To Top