Wednesday, October 21, 2015

Blocking Local Users From Logging In Remotely

The link below is a really good post from Microsoft about blocking local users from logging in remotely. It's as simple as creating a GPO.  

Computer Configuration\Windows Settings\Local Policies\User Rights Assignment.

Deny access to this computer from the network - local account
Deny log on through Terminal Services - local account

You can also use the account "Local account and member of Administrators group" for these two GPO settings as "Local Account" can cause some issues with Failover Clustering.

This is awesome and seems to work pretty well. A lot of times companies setup a local admin on every computer on the network and set the password the same on all of them. Even though these are "local" users accounts they can still be used remotely. Therefore when a bad guy gets access to one machine they can grab the hash of the local admin account and login to any other PC on the network that has the same password. The same is true for servers.

There are other solutions to this problem including Microsoft LAPs and Trustedsec's SHIPS. I had heard of this functionality previously, but hadn't looked into it until I saw a post from "Swift on Security" on Twitter about it. Gotta love T. Swift.



References:


http://blogs.technet.com/b/secguide/archive/2014/09/02/blocking-remote-use-of-local-accounts.aspx

https://twitter.com/SwiftOnSecurity/status/655174103964471296

https://www.trustedsec.com/ships/

https://www.microsoft.com/en-us/download/details.aspx?id=46899

 
 

No comments: