Network access: Sharing and security model for local accounts

Understanding " Sharing and security model for local accounts" policy configuration.

This policy setting determines how network logons that use local accounts are authenticated. Adding a 'Classic' configuration to this policy, allows local users to authenticate as themselves against a network server. A 'Guest' configuration allows network logons that use local accounts to automatically map to the Guest account.

You are provided with a precise control over access to resources with a 'Classic' configuration. It also enables you to grant different users different kinds of accesses to the same resource.

The 'Guest only' model on the other hand is impartial to all users and they all receive the same level of access (Read Only or Modify) to a given resource.

Note: Domain accounts are not affected by this policy. Interactive logons that are performed remotely through services such as Telnet or Remote Desktop Services are also immune to this policy setting.

A 'Guest only' value allows local users to authenticate as Guest which translates into any user can access your device over the network with Guest user permissions . This also means that 'write' privileges are not afforded to these users. This is a security enhancement, but makes it impossible for authorized users as well to access shared resources on those systems because ACLs on those resources must include access control entries (ACEs) for the Guest account. Alternatively a 'Classic' value which allows local users authenticate as themselves, lets local user accounts that are password-protected access shared system resources.

Microsoft recommends that this policy be configured to 'Classic'. Also no restarts are required to deploy this policy.

This policy can be located at Computer Configuration>Windows Settings>Security Settings>Local Policies>Security Options.

Group Policy

This policy setting can be configured by using the Group Policy Management Console (GPMC) and can be distributed through Group Policy Objects (GPOs). If this policy is not maintained in a distributed GPO, configuration can be done on a local computer through the Local Security Policy snap-in.

About ADAudit Plus:

ADAudit Plus is a real time change auditing software that helps keep your Active Directory, Azure AD, Windows file servers, NetApp filers, EMC file systems, Synology file systems, Windows member servers, and workstations secure and compliant. With ADAudit Plus, you can get visibility into:

• Authorized and unauthorized AD management changes
• User logons, logoffs, and account lockouts
• GPO changes
• Group attribute and membership changes
• OU changes
• Privileged access and permission changes
• Azure AD logons, and changes to roles, groups, and applications
• PowerShell scripts and modules

among other things.

There are more than 200 event-specific reports, and you can configure instant email alerts. You can also export the reports to XLS, HTML, PDF and CSV formats to assist in interpretation and forensics. For more information on ADAudit Plus, visit: https://www.manageengine.com/active-directory-audit/.