Why should you disable network login for local accounts?
Solution 1
Allowing network logon for local accounts is dangerous and a poor security practice. For administrators group members, I would actually characterize it as negligence. It enables lateral movement, and is difficult to detect and audit due to the account logons are not logged centrally (on the domain controllers).
To mitigate this threat, Microsoft actually created two new builtin security identifiers to add to the "Deny access to this computer from the network" user right:
S-1-5-113: NT AUTHORITY\Local account
S-1-5-114: NT AUTHORITY\Local account and member of Administrators group
http://blogs.technet.com/b/secguide/archive/2014/09/02/blocking-remote-use-of-local-accounts.aspx
http://blogs.technet.com/b/srd/archive/2014/06/05/an-overview-of-kb2871997.aspx
Solution 2
No, your example scenario is incorrect. If he's using AD credentials to log in, everything's fine. The issue is with local accounts, that is, ones that are created on, and exist only on, individual computers. For example, .\Administrator, but this applies to any account in the computer's domain (COMPUTERNAME\USERNAME). The security risk ", AIUI, is that if local accounts (e.g. the local Administrator) share the same password across multiple machines, it's possible to extract the password hashes from the computer, and reuse the hashes in some cases to (as a malware infestation or other attacker) move laterally between computers.
Related videos on Youtube
01 : 43
15 : 34
03 : 04
06 : 31
06 : 01
05 : 02
05 : 41
The Man
Updated on September 18, 2022Comments
-
The Man over 1 year
This question is in reference to @SwiftOnSecurity's Twitter thread: https://twitter.com/SwiftOnSecurity/status/655208224572882944
After reading through the thread, I still don't quite get why you would want to disable network login for local accounts.
So here is what I'm thinking, please correct me where I am wrong:
Say I have an AD set up with a DC and multiple clients. One of the clients is John. So in the morning, John goes into work, and logs into his desktop PC with the AD credentials. At noon, John heads out for a meeting, and 'locks' his computer (windows + L). He then needs to connect to his PC back at the office using his personal laptop remotely (via RDP or something). However, using this new policy, he won't be able to do so.
The explanation that Securitay gives is that the passwords are not salted. However, how would an attacker gain access in this case? On which end is the password not salted? Or is the situation I have in my mind completely unrelated to what she is trying to say? If this is the case, what is she actually trying to say?
-
The Man over 8 yearsThank you for responding. However, can you give an example scenario on how security may be compromised?
-
The Man over 8 yearsThank you for answering. So let me understand it correctly:
-
The Man over 8 yearsLet's say I have a DC (SERVER1) with RDP enabled. On my personal laptop (not connected to the AD domain), I have the same Administrator username and password. So when I want to manage SERVER1, I connect to it via RDP from my personal laptop. However, one day, my personal laptop was stolen, and the thief was able to access my laptop with admin permissions. From there, he can then see the local user's password hash, and use the same hash to connect to the server. Would this scenario be correct then?
-
The Man over 8 yearsHowever (if this scenario is correct), this raised more questions. Wouldn't there be no risk at all if I had simply used different passwords for different users? Also, how will having network logon enabled matter in this case? Is it just because the attacker can gain access and configure it without having physical access?
-
Greg Askew over 8 yearsYes to both, but I doubt an auditor would accept having different passwords as a sufficient compensating control for this risk. Having local administrator accounts enabled for network logon is the kind of lateral movement that sinks your battleship when you are attacked. Local administrator accounts should should only be for local access and never over the network.
-
The Man over 8 yearsJust to clarify a few things. By yes to both, you mean the newest scenario I suggested is correct, right? Also, how bad would things be if network logons are enabled? I ask this as I still can't see how enabling network logon would allow attackers access. Also, if I disable network logon, is having physical access the only way of interfacing/configuring the server?
-
Greg Askew over 8 yearsYes, both are correct (subjectively). However, at some point you need to recognize security guidance as just that. Guidance. You need to balance the guidance with your needs and arrive at your own decision that works for you.
-
Micha over 8 yearsContoso uses a fixed local admin password. Contoso doesn't prevent network login for local accounts. User gets some kind of malware, that gets to the point where it runs with admin rights. It extracts the password hashes. If I'm not mistaken, there are ways to use a hash for authentication in some circumstances. Or maybe the hash is easy to crack, or on a rainbow table, or something. The malware then connects to all machines and spreads to them. Not only that, but it's hard to find out what's going on, because this isn't being logged at the DC or anywhere central, just on the individual PCs.
