Closed benjaminrein closed 3 years ago
I just want to make you aware that setting LocalAccountTokenFilterPolicy=1 creates a huge security risk for the whole network
Honestly I would beg to differ, yes there is a security risk here in that it means any local accounts are elevated when logged on with a network logon like SMB. But this policy only applies to local accounts, specifically local accounts that are not the builtin Administrator account by default. Any domain account, or the builtin admin account (by default) will not be filtered and acts like LocalAccountTokenFilterPolicy=1
. So from a Pass The Hash perspective this is only a security issue if you are
In a domain environment you usually connect with a domain account which is always elevated on a network logon, bypassing the need for this policy. If you do need to use a local account then this typically must be set as the mechanism to create the PSExec service requires admin rights from the SMB network logon. If you must use local accounts then your environment should not be using the same password, limiting the effectively of a the pass the hash attack and LAPS is a great tool to make sure you are using unique local account passwords.
I think I've thoroughly documented when this setting must be used https://github.com/jborean93/pypsexec#user-account-control.
Hi @jborean93,
I just want to make you aware that setting LocalAccountTokenFilterPolicy=1 creates a huge security risk for the whole network. It enables Pass The Hash attacks (e.g. using mimikatz) in the network. This kind of attack is often used for lateral movement as part of a malware attack (Emotet and the like). I know that a lot of Microsoft Documentation which uses LocalAccountTokenFilterPolicy as a workaround does not clearly state the risk, that changing this setting comes with. I would suggest to include a hint in your documentation.
The use of Local Account Password Solution (LAPS) which changes local passwords at a configureable interval is known to reduce the risk. Unfortunately LAPS needs GroupPolicy and ActiveDirectory to work.
Very detailed explanation: https://www.harmj0y.net/blog/redteaming/pass-the-hash-is-dead-long-live-localaccounttokenfilterpolicy/
Regards Benjamin