Posted on August 4, 2016 · Posted in Windows Server 2012 R2

Blocking Remote Network Access for Local Accounts

Using local accounts (including the local administrator account) to access another computer over network in Active Directory environments is not recommended on a number of reasons. The same local administrator login and password are often used on many computers resulting in putting many computers at risk if one computer is compromised (Pass-the-hash threat). Moreover, access to the network with local accounts is hard to personify and centrally monitor, since it is not registered on AD domain controllers.

To reduce risks, administrators rename the standard local account of Windows Administrator. A regular change of the administrator password to the unique on every computer in the domain (for example. using MS Local Administrator Password Solution) significantly increases the security of local administrator accounts. But this solution cannot restrict the network access for all local accounts, since there can be more than one local account on a computer.

You can restrict access for local accounts using Deny access to this computer from the network policy. But this policy requires to explicitly list all accounts, for which the access will be denied.

In Windows 8.1 and Windows Server 2012 R2, two new security groups (Well-known group) with new SIDs appeared. It means that now you don’t need to list all possible SIDs of local accounts, but use the universal SID instead.

S-1-5-113 NT AUTHORITY\Local account All local accounts
S-1-5-114 NT AUTHORITY\Local account and member of Administrators group All local accounts with the administrator privileges

These groups are added to the user access token when logging in with the local account.

Make sure that two new groups— NT AUTHORITY\Local account (SID S-1-5-113) and NT AUTHORITY\Local account and member of Administrators group (SID  S-1-5-114) – are assigned to the local administrator account:

Whoami /all

S-1-5-113 Local account

This feature can also be added to Windows 7, Windows 8, Windows Server 2008 R2 and Windows Server 2012, having installed KB 2871997 (the update as of June, 2014).

You can check if these groups are present in the system as follows:

$objSID = New-Object System.Security.Principal.SecurityIdentifier ("S-1-5-113")
$objAccount = $objSID.Translate([System.Security.Principal.NTAccount])
$objAccount.Value

If the script returns NT Authority\Local account, the new local group (with this SID) is present in the system.

NT Authority\Local account
To restrict the network access for these local accounts containing these SIDs in the token, you can use the following policies to be found in Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment.

  1. Deny access to this computer from the network
  2. Deny log on through Remote Desktop Services

Add Local account and Local account and member of Administrators group to the policy and update policy using gpupdate /force.

1.	Deny access to this computer from the network

After the policy is applied, the network access with local accounts is denied to this computer. When trying to establish an RDP session with  .\administrator account, the following error appears.

The system administrator has restricted the types of logon (network or interactive) that you may use. For assistance, contact your system administrator or technical support.

The system administrator has restricted the types of logon (network or interactive) that you may use. For assistance, contact your system administrator or technical support.

Important. It is worth to note that if the policy is applied to the computer beyond the Active Directory domain, you can access this computer only using the local console.

Thus, you can deny network access with local accounts irrespective of their names and increase the security level of the corporate environment.

Previous:
Next:
Related Articles