Bobcares

WeSupport

Call Us! 1-800-383-5193
Call Us! 1-800-383-5193
Call Us! 1-800-383-5193

Need Help?

Emergency Response Time custom

Our experts have had an average response time of 11.06 minutes in March 2021 to fix urgent issues.

We will keep your servers stable, secure and fast at all times for one fixed price.

How to fix Windows: block remote network access for local user accounts

by | Jan 23, 2021

In Windows: we block remote network access for local user accounts for various reasons.

Here at Bobcares, we have seen several such Windows-related errors as part of our Server Management Services for web hosts and online service providers.

Today we’ll take a look at the cause and fix of this Windows error.

 

What causes ‘Windows: block remote network access for local user accounts’

For a number of reasons, restrictions are there to use local accounts to access another computer over the network in Active Directory environments.

The same local administrator username and password are often used on many computers. As a result, this can put multiple devices at risk if a single computer compromises.

Moreover, accessing network resources with local accounts is hard to personify and centrally monitor. Because such events are not logged on AD domain controllers.

To reduce the risk, administrators can rename the default local Windows Administrator account.

 

In Windows: how we block remote network access for local user accounts

Usually, our Support Engineers restrict network access for local accounts. We do it by using the Deny access to this computer from the network policy.

But in this policy, we need to explicitly list all accounts that need to be denied network access to the computer.

In Windows 8.1 and Windows Server 2012 R2, two new well-known security groups with new SIDs appears. One includes all local users, and the second includes all local administrators.

windows: block remote network access for local user accounts

Now, to restrict access for local accounts, we use their common SIDs.

These groups are added to the user’s access token during logon to the computer under a local account.

We make sure that in Windows 10/Windows Server 2016, the local administrator account is assigned to two new security groups. They are (NT AUTHORITY\Local account (SID S-1-5-113) and NT AUTHORITY\Local account and member of Administrators group (SID S-1-5-114)). For that, we run the command:

Whoami /all

Also, we can check if these security groups exist on a Windows device by SID using the following PowerShell script:

$objSID = New-Object System.Security.Principal.SecurityIdentifier (“S-1-5-113”)
$objAccount = $objSID.Translate([System.Security.Principal.NTAccount])
$objAccount.Value

If the script returns NT Authority\Local account, then this local group (with S-1-5-113 SID) exists on the computer.

We can block the remote network access under local user accounts containing these SIDs in the token. For that, we use the settings from the GPO section Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment.

 

Deny Remote Desktop (RDP) Access for Local Users and Administrators

The Deny log on through Remote Desktop Services policy allows specifying users and groups that are explicitly denied to logon to a computer remotely via Remote Desktop. We can deny RDP access to the computer for local and domain accounts.

By default, RDP access on Windows is allowed for the administrators and members of the local Remote Desktop User group.

If we want to restrict RDP connections for local users only

  • First, we open the local GPO editor gpedit.msc (if we want to apply these settings on computers in the Active Directory domain, use the domain Group Policy Editor – gpmc.msc).
  • Then we go to the GPO section User Rights Assignment and edit the Deny log on through Remote Desktop Services policy.

After that, we add the built-in local security groups. That is “Local account and member of Administrators group” and “Local account” to the policy. We update local Group Policy settings using the command:

gpupdate /force

The deny policy takes precedence over the Allow log on through Remote Desktop Services policy. If we add a user or group in both policies, RDP access for that user will be denied.

Finally, if we try to connect to the computer under a local user via RDP, an error will appear:

To sign in remotely, you need the right to sign in through Remote Desktop Services. By default, members of the Remote Desktop Users group have this right. If the group you’re in doesn’t have this right, or if the right has been removed from the Remote Desktop Users group, you need to be granted this right manually.

 

Deny Access to Computer from the Network

We can deny network access to a computer under local credentials with the Deny access to this computer from the network policy.

We add the local groups “Local account” and “Local account and member of Administrators group” to the Deny access to this computer.

For a domain environment, we completely block access to workstations and domain-member servers. We do this under accounts from the Domain Admins and Enterprise Admins security groups. We use this account only to access domain controllers. This reduces the risks of capturing the administrative (privileged) account hash and privilege escalation.

After applying the policy, we won’t be able to remotely connect to this computer over the network under any local Windows account. When trying to connect to a shared network folder or map a network drive from this computer under a local account, an error appears:

Microsoft Windows Network: Logon failure: the user has not been granted the requested logon type at this computers.

When trying to establish a Remote Desktop connection under the local administrator account, an error message appears.

The system administrator has restricted the types of logon (network or interactive) that you may use. For assistance, contact your system administrator or technical support.

If we apply this policy to a computer that is part of a Windows workgroup, we can only logon to that computer locally.

[Need any further assistance in fixing Windows errors? – We are here to help you]

 

Conclusion

Today, we saw how our Support Engineers restrict remote network access for a local user account.

PREVENT YOUR SERVER FROM CRASHING!

Never again lose customers to poor server speed! Let us help you.

Our server experts will monitor & maintain your server 24/7 so that it remains lightning fast and secure.

GET STARTED

var google_conversion_label = "owonCMyG5nEQ0aD71QM";

0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *

Privacy Preference Center

Necessary

Necessary cookies help make a website usable by enabling basic functions like page navigation and access to secure areas of the website. The website cannot function properly without these cookies.

PHPSESSID - Preserves user session state across page requests.

gdpr[consent_types] - Used to store user consents.

gdpr[allowed_cookies] - Used to store user allowed cookies.

PHPSESSID, gdpr[consent_types], gdpr[allowed_cookies]
PHPSESSID
WHMCSpKDlPzh2chML

Statistics

Statistic cookies help website owners to understand how visitors interact with websites by collecting and reporting information anonymously.

_ga - Preserves user session state across page requests.

_gat - Used by Google Analytics to throttle request rate

_gid - Registers a unique ID that is used to generate statistical data on how you use the website.

smartlookCookie - Used to collect user device and location information of the site visitors to improve the websites User Experience.

_ga, _gat, _gid
_ga, _gat, _gid
smartlookCookie

Marketing

Marketing cookies are used to track visitors across websites. The intention is to display ads that are relevant and engaging for the individual user and thereby more valuable for publishers and third party advertisers.

IDE - Used by Google DoubleClick to register and report the website user's actions after viewing or clicking one of the advertiser's ads with the purpose of measuring the efficacy of an ad and to present targeted ads to the user.

test_cookie - Used to check if the user's browser supports cookies.

1P_JAR - Google cookie. These cookies are used to collect website statistics and track conversion rates.

NID - Registers a unique ID that identifies a returning user's device. The ID is used for serving ads that are most relevant to the user.

DV - Google ad personalisation

IDE, test_cookie, 1P_JAR, NID, DV, NID
IDE, test_cookie
1P_JAR, NID, DV
NID
hblid

Security

These are essential site cookies, used by the google reCAPTCHA. These cookies use an unique identifier to verify if a visitor is human or a bot.

SID, APISID, HSID, NID, PREF
SID, APISID, HSID, NID, PREF