Remote local administrator & LocalAccountTokenFilterPolicy
This post is addressing the ability to invoke remote commands using the context of a remote local administrator, and disabling the LocalAccountTokenFilterPolicy filter.
Remote local administrator
There are times when you have couple of servers or machines that are not member of you domain. They are stand alone machines, and they exist for couple of reasons. Nowadays, with all security concerns and attacks, many application architectures contain standalone not domain joined roles. Take Microsoft Lync for example, they have a separate Edge role to handle media from external clients and for security reasons, this role is meant to be a standalone deployment and never joined to the internal domain. There are many other examples.
If you are going to invoke a remote PowerShell session to one of those stand alone machines, you need to do so with a security context, and most of the time, with the privileges of the local administrator on the remote machine.
Say you want to connect to a stand alone machine, and get some WMI data using PowerShell. How a script running on my script server that is member of contoso domain, and running under contoso\user1 credentials, will be able to connect to that remote standalone server and get WMI data for example.
LocalAccountTokenFilterPolicy is the secret that makes this possible, and I will show you how this can be done:
- Go to the stand alone computer, create a local user called User1 with the same password as Contoso\User1 (which is the account im using to run scripts on the domain joined script server). Add User1 to the local administrators group on that stand alone machine. You will end up with a domain user called contoso\User1 that will be used to run the PowerShell script from the joined machine, and a local user User1 on the stand alone machine, that is member of the local administrators group.
- Now, make sure the password for both users are the same.
- On the standalone server, I have to disablee something called (LocalAccountTokenFilterPolicy) to do the trick. This is saying that, if I receive a connection with a user name and password that matches a local user account on my local credential store, I will consider it valid transaction. To disable such LocalAccountTokenFilterPolicy, browse the following registry key, create it if not existing, and put the value = 1.
Data: 1 (to disable, 0 enables filtering)
Type: REG_DWORD (32-bit)
Accessing Remote local administrator account in this way is somehow risky. If you are going to play with LocalAccountTokenFilterPolicy, then make sure you understand the consequences. The risk is that someone can connect remotely to the machine, and associate himself to the context of the remote local administrator on that standalone machine, and do nasty things.
Read more about this registry key here