PREVENT-3

​

Summary

The network access account (NAA) is a domain account that can be configured on the site server. Clients use the NAA to access and retrieve software from a distribution point but serves no other purpose on the client. The credentials are retrieved by clients as part of the Computer Policy. Upon receipt, the client will encrypt the NAA using the Data Protection API (DPAPI). If the site is configured to use HTTPS or Enhanced HTTP (eHTTP) communication, the NAA is not needed to access the contents of a distribution point. Despite HTTPS or eHTTP being configured, we sometimes find the NAA configured as part of a site installation and long forgotten about. If this is your scenario, we (and Microsoft) recommend disabling the NAA entirely. There exist several scenarios where the NAA is required, including HTTPS and eHTTP scenarios:

• Multicast is configured for operating system deployment.
• A task sequence is configured with the “Access content directly from a distribution point when needed by the running task sequence” option.
• A task sequence fails to communicate with the state migration point using the device’s computer account during the “Request Store State” step, the task sequence will fall back to the NAA.
• The “Apply OS image” step of a task sequence is configured to “Access content directly from the distribution point”
• A task sequence is configured with “Run another program first.”
• Managing clients in untrusted domains and cross-forest trusts (don’t do this! see PREVENT-22)

If operating within one of the above scenarios, ensure the NAA is properly permissioned such that it cannot logon interactively and can only read the distribution point network share. If none of the above scenarios pertain to the site in question, Microsoft recommends disabling the NAA in favor of using HTTPS or Enhanced HTTP communications for retrieving software from distribution points. The NAA configuration window is shown in Figure 1 with the “Remove” option highlighted. NOTE: When disabling or changing the NAA, it is paramount to disable the old account in Active Directory. This is explained in PREVENT-15.

​

Linked Defensive IDs

• PREVENT-4: Enable Enhanced HTTP
• PREVENT-8: Require PKI certificates for client authentation
• PREVENT-15: Disable legacy network access accounts in active directory
• PREVENT-22: Do not manage assets in two or more segmented forests, domains, networks, or security tiers

​

Associated Offensive IDs

• CRED-1: Retrieve secrets from PXE boot media
• CRED-2: Request machine policy and deobfuscate secrets
• CRED-3: Dump currently deployed secrets via WMI
• CRED-4: Retrieve legacy secrets from the CIM repository
• CRED-5: Dump credentials from the site database

​

References

• Microsoft, Network access account
• Christopher Panayi, An inside look: How to distribute credentials securely in SCCM