Access This Computer From the Network – Best Practices for DC and Member Servers

By Keren Pollack, on May 6th, 2021

Setting which group of users can access a computer from the network is a fundamental step in a hardening project. Hardening can be a painful procedure when done in complex environments. If you are reading this article, you probably know it. Endless hours and resources are invested in this task. However, despite the efforts, hardening often causes downtime. In fact, over 60% of IT professionals report they’ve experienced downtime while trying to harden their infrastructure*.

 

After years of hardening using the traditional manual tools, we concluded that using hardening automation tools is essential for achieving a successful hardening project and a good compliance posture. Learn more about server hardening automation.

 

This post aims to provide basic information and configuration recommendations for setting ‘Access this computer from network’ rules. After deciding your policy, make sure to test it before enforcing it, to make sure it will not cause damage.

This blog post will cover:

  1. Access this computer from the network- what does it mean?
  2. Access this computer from the network – potential vulnerability
  3. Countermeasures
  4. The potential impact configuration change
  5. Criticality
  6. How to change the ‘Access this computer from the network’ setting

 

Access this computer from the network – what does it mean?

The policy setting controls which users can access a device from the network. Several network protocols depend on this setting. It is critical to secure this configuration, by limiting which users will have access, but it is important to generate an impact analysis before enforcing your rules.

 

Access this computer from the network – potential vulnerability

When you don’t limit who can access your machines from the network, un-invited malicious users can take advantage of this to access and read protected data. For example, shared printers and folders.

 

Note! The default value of this setting includes ‘Everyone’. Therefore, you must harden this setting, or you’ll be highly exposed to attacks.

 

Countermeasures

Allow only users that require to access the computer from the network to do so.

There are 4 cases to consider:

  1. Domain Controllers: allow access only to Administrators, Authenticated users, Enterprise Domain Controllers.
  2. Member Servers and Endpoints: allow access only to Administrators, Authenticated users.
  3. High-security environment: aim to restrict access from all users if possible.
  4. End Points – allow access only to Authenticated Users and Administrators.

 

Everyone Authenticated  Users  Enterprise Domain Controllers  Administrators  No One
End Point

 

          V            V
Member Server

 

          V            V
Domain Controllers

 

          V          V            V
High-Security Environments       V

 

The potential impact configuration change

System components such as ASP.NET and IIS servers might be impacted from this hardening action. Determine which user accounts need to have access for the network, for these components to continue working properly.

In addition, there are few network protocols that require access from the computer:

  1. Server Message Block (SMB) protocols
  2. NetBIOS
  3. Common Internet File System (CIFS)
  4. Component Object Model Plus (COM+)

Before changing this setting, make sure you’re not using these protocols.

 

Criticality

CIS labels this setting, both for Domain Controllers and for Member Servers as Level 1- which means that it should be at your top priority in your hardening project.

 

How to change the ‘Access this computer from the network’ setting

The best approach for this configuration change is to use hardening automation. By doing that, you’ll automatically get an impact analysis and will be able to enforce you’re desired settings on the entire production from a single point of control.

 

Changing access this computer from the network using GPO:

Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Access this computer from the network

 

Changing access this computer from the network using a Registry Key:

You normally can’t control user rights settings using registry keys, but there is a possible hack for this one.

Look where your policy information is stored. Possible locations will be:

HKEY_LOCAL_MACHINE\Software\Policies 
HKEY_CURRENT_USER\Software\Policies 
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies 
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies 

Find the policy and change it according to your needs.

 

*according to research done by CalCom