Computer Configuration\Windows Settings\Local Policies\User Rights Assignment.
Deny access to this computer from the network - local account
Deny log on through Terminal Services - local account
You can also use the account "Local account and member of Administrators group" for these two GPO settings as "Local Account" can cause some issues with Failover Clustering.
This is awesome and seems to work pretty well. A lot of times companies setup a local admin on every computer on the network and set the password the same on all of them. Even though these are "local" users accounts they can still be used remotely. Therefore when a bad guy gets access to one machine they can grab the hash of the local admin account and login to any other PC on the network that has the same password. The same is true for servers.
There are other solutions to this problem including Microsoft LAPs and Trustedsec's SHIPS. I had heard of this functionality previously, but hadn't looked into it until I saw a post from "Swift on Security" on Twitter about it. Gotta love T. Swift.
References:
http://blogs.technet.com/b/secguide/archive/2014/09/02/blocking-remote-use-of-local-accounts.aspx
https://twitter.com/SwiftOnSecurity/status/655174103964471296
https://www.trustedsec.com/ships/
https://www.microsoft.com/en-us/download/details.aspx?id=46899
No comments:
Post a Comment