Why Disabling Network Login for Local Accounts is Critical: Security Risks of Unsalted Credentials in RDP/AD Environments


44 views

html

When examining @SwiftOnSecurity's warning about disabling network login for local accounts, we're dealing with a fundamental security vulnerability in Windows authentication mechanisms. The core issue lies in how local account credentials are transmitted and stored during network authentication.

Local accounts using network authentication (like RDP) typically rely on NTLM authentication. Here's the critical security gap:

// Simplified representation of local credential storage
struct LocalCredential {
    string username;
    byte[] unsaltedHash;  // No cryptographic salt applied
    int hashAlgorithm;
}

Unlike Active Directory accounts which use Kerberos (with proper salting), local accounts transmit credentials in ways that make them vulnerable to:

  • Pass-the-hash attacks
  • Credential replay attacks
  • Rainbow table compromises

Consider this common enterprise situation:

// Attacker workflow example
1. Compromise workstation with local admin rights
2. Dump local SAM database using tools like Mimikatz:
   mimikatz # sekurlsa::logonpasswords
3. Extract unsalted NTLM hashes
4. Reuse across network via RDP/SMB

To disable network login for local accounts via GPO:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"LimitBlankPasswordUse"=dword:00000001
"RestrictAnonymousSAM"=dword:00000001
"NoLMHash"=dword:00000001

Or via PowerShell:

# Disable network logon for local accounts
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Name "LimitBlankPasswordUse" -Value 1
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Name "RestrictAnonymousSAM" -Value 1
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Name "NoLMHash" -Value 1

The secure approach would be:

// Recommended authentication flow
if (userIsLocalAccount) {
    requirePhysicalConsoleLogin();
} else {
    allowKerberosOrModernAuth();
}

For remote access scenarios, implement:

  • Azure AD Hybrid Join with Windows Hello for Business
  • Certificate-based authentication for RDP
  • RD Gateway with MFA requirements

When rolling out this security measure:

# Audit script to find local accounts with network access
Get-WmiObject -Class Win32_UserAccount -Filter "LocalAccount=True" | 
ForEach-Object {
    $sid = (New-Object System.Security.Principal.NTAccount($_.Name)).Translate([System.Security.Principal.SecurityIdentifier]).Value
    Get-WmiObject -Class Win32_LogonSession | Where-Object {
        $_.AuthenticationPackage -ne "NTLM" -and $_.LogonType -in (2,10)
    }
}

When local accounts are permitted to authenticate over the network (via protocols like NTLM or Kerberos), Windows transmits credentials in a way that makes them particularly vulnerable to offline brute-force attacks. The fundamental issue isn't about RDP specifically, but about how Windows handles local account authentication across the network.

Here's what makes local account network logins dangerous:

// Example of how Windows stores local account credentials
#define NTLM_HASH_NO_SALT 1
typedef struct {
    CHAR username[256];
    CHAR lm_hash[16];
    CHAR nt_hash[16];
    DWORD flags;  // NTLM_HASH_NO_SALT flag present for local accounts
} CREDENTIAL_CACHE_ENTRY;

Unlike domain accounts which use proper salting, local accounts when used for network authentication:

  • Use static hash values without per-user salts
  • Allow pass-the-hash attacks more easily
  • Create identical hashes for the same password across machines

The security risk manifests in several ways that differ from the described RDP scenario:

  1. Lateral Movement: If an attacker compromises one machine, they can attempt to reuse the local admin password across other machines.
  2. Credential Theft: Network authentication attempts expose credential hashes that can be captured and cracked offline.

For remote access scenarios, better solutions exist:

# PowerShell example for proper remote access configuration
Enable-PSRemoting -Force
Set-Item WSMan:\localhost\Service\Auth\Basic -Value $false
New-NetFirewallRule -DisplayName "Windows Remote Management (HTTPS-In)" 
    -Name "Windows Remote Management (HTTPS-In)" 
    -Profile Any -LocalPort 5986 -Protocol TCP

To disable network logon for local accounts while maintaining functionality:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"LimitBlankPasswordUse"=dword:00000001
"restrictanonymoussam"=dword:00000001
"NoLMHash"=dword:00000001

For enterprise environments, implement these Group Policy settings:

  • Computer Configuration → Windows Settings → Security Settings → Local Policies → Security Options:
    • "Network access: Do not allow storage of passwords and credentials for network authentication" → Enabled
    • "Accounts: Limit local account use of blank passwords to console logon only" → Enabled

For legitimate remote access requirements, consider:

// Example RDP Gateway configuration in PowerShell
New-RDSessionDeployment -ConnectionBroker "rdcb.contoso.com" 
    -WebAccessServer "rdweb.contoso.com" 
    -SessionHost "rdsh.contoso.com"
Set-RDDeploymentConfiguration -UserGroup "CONTOSO\Remote Desktop Users" 
    -MaxRedirectedMonitors 4

Key security measures for remote access:

  1. Always use VPN + RDP rather than exposing RDP directly
  2. Implement RD Gateway with multifactor authentication
  3. Use certificate-based authentication where possible