From 5b0a1df8065f6ab52c34468b4b9fd12d10ad4eef Mon Sep 17 00:00:00 2001
From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com>
Date: Thu, 3 Aug 2023 13:36:28 +0200
Subject: [PATCH] Local accounts updates

---
 .../access-control/local-accounts.md          | 99 +++++++------------
 1 file changed, 35 insertions(+), 64 deletions(-)

diff --git a/windows/security/identity-protection/access-control/local-accounts.md b/windows/security/identity-protection/access-control/local-accounts.md
index a2c64c37a0..7fad8e5639 100644
--- a/windows/security/identity-protection/access-control/local-accounts.md
+++ b/windows/security/identity-protection/access-control/local-accounts.md
@@ -1,11 +1,8 @@
 ---
-ms.date: 12/05/2022
+ms.date: 08/03/2023
 title: Local Accounts
 description: Learn how to secure and manage access to the resources on a standalone or member server for services or users.
 ms.topic: conceptual
-ms.collection: 
-  - highpri
-  - tier2
 appliesto: 
 - ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
 - ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
@@ -30,9 +27,7 @@ Default local user accounts are used to manage access to the local device's reso
 
 Default local user accounts are described in the following sections. Expand each section for more information.
 
-<br>
-<details>
-<summary><b>Administrator</b></summary>
+### Administrator
 
 The default local Administrator account is a user account for system administration. Every computer has an Administrator account (SID S-1-5-*domain*-500, display name Administrator). The Administrator account is the first account that is created during the Windows installation.
 
@@ -44,13 +39,13 @@ Windows setup disables the built-in Administrator account and creates another lo
 
 Members of the Administrators groups can run apps with elevated permissions without using the *Run as Administrator* option. Fast User Switching is more secure than using `runas` or different-user elevation.  
 
-**Account group membership**
+#### Account group membership
 
 By default, the Administrator account is a member of the Administrators group. It's a best practice to limit the number of users in the Administrators group because members of the Administrators group have Full Control permissions on the device.
 
 The Administrator account can't be removed from the Administrators group.
 
-**Security considerations**
+#### Security considerations
 
 Because the Administrator account is known to exist on many versions of the Windows operating system, it's a best practice to disable the Administrator account when possible to make it more difficult for malicious users to gain access to the server or client computer.
 
@@ -61,39 +56,31 @@ As a security best practice, use your local (non-Administrator) account to sign
 Group Policy can be used to control the use of the local Administrators group automatically. For more information about Group Policy, see [Group Policy Overview](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831791(v=ws.11)).
 
 > [!IMPORTANT]
-> 
-> - Blank passwords are not allowed.
 >
-> - Even when the Administrator account has been disabled, it can still be used to gain access to a computer by using safe mode. In the Recovery Console or in safe mode, the Administrator account is automatically enabled. When normal operations are resumed, it is disabled. 
+> - Blank passwords are not allowed
+> - Even when the Administrator account is disabled, it can still be used to gain access to a computer by using safe mode. In the Recovery Console or in safe mode, the Administrator account is automatically enabled. When normal operations are resumed, it's disabled.
 
-</details>
-<br>
-<details>
-<summary><b>Guest</b></summary>
+### Guest
 
 The Guest account lets occasional or one-time users, who don't have an account on the computer, temporarily sign in to the local server or client computer with limited user rights. By default, the Guest account is disabled and has a blank password. Since the Guest account can provide anonymous access, it's considered a security risk. For this reason, it's a best practice to leave the Guest account disabled, unless its use is necessary.
 
-**Account group membership**
+#### Guest account group membership
 
-By default, the Guest account is the only member of the default Guests group (SID S-1-5-32-546), which lets a user sign in to a device.
+By default, the Guest account is the only member of the default Guests group `SID S-1-5-32-546`, which lets a user sign in to a device.
 
-**Security considerations**
+#### Guest account security considerations
 
 When enabling the Guest account, only grant limited rights and permissions. For security reasons, the Guest account shouldn't be used over the network and made accessible to other computers.
 
 In addition, the guest user in the Guest account shouldn't be able to view the event logs. After the Guest account is enabled, it's a best practice to monitor the Guest account frequently to ensure that other users can't use services and other resources. This includes resources that were unintentionally left available by a previous user.
 
-</details>
-
-<br>
-<details>
-<summary><b>HelpAssistant</b></summary>
+### HelpAssistant
 
 The HelpAssistant account is a default local account that is enabled when a Remote Assistance session is run. This account is automatically disabled when no Remote Assistance requests are pending.
 
 HelpAssistant is the primary account that is used to establish a Remote Assistance session. The Remote Assistance session is used to connect to another computer running the Windows operating system, and it's initiated by invitation. For solicited remote assistance, a user sends an invitation from their computer, through e-mail or as a file, to a person who can provide assistance. After the user's invitation for a Remote Assistance session is accepted, the default HelpAssistant account is automatically created to give the person who provides assistance limited access to the computer. The HelpAssistant account is managed by the Remote Desktop Help Session Manager service.
 
-**Security considerations**
+#### HelpAssistant account security considerations
 
 The SIDs that pertain to the default HelpAssistant account include:
 
@@ -105,7 +92,7 @@ For the Windows Server operating system, Remote Assistance is an optional compon
 
 For details about the HelpAssistant account attributes, see the following table.
 
-**HelpAssistant account attributes**
+#### HelpAssistant account attributes
 
 |Attribute|Value|
 |--- |--- |
@@ -118,11 +105,7 @@ For details about the HelpAssistant account attributes, see the following table.
 |Safe to move out of default container?|Can be moved out, but we don't recommend it.|
 |Safe to delegate management of this group to non-Service admins?|No|
 
-</details>
-
-<br>
-<details>
-<summary><b>DefaultAccount</b></summary>
+### DefaultAccount
 
 The DefaultAccount account, also known as the Default System Managed Account (DSMA), is a well-known user account type. DefaultAccount can be used to run processes that are either multi-user aware or user-agnostic.
 
@@ -135,19 +118,20 @@ The DSMA is a member of the well-known group **System Managed Accounts Group**,
 The DSMA alias can be granted access to resources during offline staging even before the account itself has been created. The account and the group are created during first boot of the machine within the Security Accounts Manager (SAM).
 
 #### How Windows uses the DefaultAccount
-From a permission perspective, the DefaultAccount is a standard user account. 
-The DefaultAccount is needed to run multi-user-manifested-apps (MUMA apps). 
-MUMA apps run all the time and react to users signing in and signing out of the devices. 
-Unlike Windows Desktop where apps run in context of the user and get terminated when the user signs off, MUMA apps run by using the DSMA. 
 
-MUMA apps are functional in shared session SKUs such as Xbox. For example, Xbox shell is a MUMA app. 
-Today, Xbox automatically signs in as Guest account and all apps run in this context. 
-All the apps are multi-user-aware and respond to events fired by user manager. 
+From a permission perspective, the DefaultAccount is a standard user account.
+The DefaultAccount is needed to run multi-user-manifested-apps (MUMA apps).
+MUMA apps run all the time and react to users signing in and signing out of the devices.
+Unlike Windows Desktop where apps run in context of the user and get terminated when the user signs off, MUMA apps run by using the DSMA.
+
+MUMA apps are functional in shared session SKUs such as Xbox. For example, Xbox shell is a MUMA app.
+Today, Xbox automatically signs in as Guest account and all apps run in this context.
+All the apps are multi-user-aware and respond to events fired by user manager.
 The apps run as the Guest account.
 
-Similarly, Phone auto logs in as a *DefApps* account, which is akin to the standard user account in Windows but with a few extra privileges. Brokers, some services and apps run as this account. 
+Similarly, Phone auto logs in as a *DefApps* account, which is akin to the standard user account in Windows but with a few extra privileges. Brokers, some services and apps run as this account.
 
-In the converged user model, the multi-user-aware apps and multi-user-aware brokers will need to run in a context different from that of the users. 
+In the converged user model, the multi-user-aware apps and multi-user-aware brokers will need to run in a context different from that of the users.
 For this purpose, the system creates DSMA.
 
 #### How the DefaultAccount gets created on domain controllers
@@ -158,35 +142,25 @@ If the domain was created with domain controllers running an earlier version of
 #### Recommendations for managing the Default Account (DSMA)
 
 Microsoft doesn't recommend changing the default configuration, where the account is disabled. There's no security risk with having the account in the disabled state. Changing the default configuration could hinder future scenarios that rely on this account.
-</details>
 
 ## Default local system accounts
 
-<br>
-<details>
-<summary><b>SYSTEM</b></summary>
+### SYSTEM
 
-
-The *SYSTEM* account is used by the operating system and by services running under Windows. There are many services and processes in the Windows operating system that need the capability to sign in internally, such as during a Windows installation. The SYSTEM account was designed for that purpose, and Windows manages the SYSTEM account's user rights. It's an internal account that doesn't show up in User Manager, and it can't be added to any groups. 
+The *SYSTEM* account is used by the operating system and by services running under Windows. There are many services and processes in the Windows operating system that need the capability to sign in internally, such as during a Windows installation. The SYSTEM account was designed for that purpose, and Windows manages the SYSTEM account's user rights. It's an internal account that doesn't show up in User Manager, and it can't be added to any groups.
 
 On the other hand, the SYSTEM account does appear on an NTFS file system volume in File Manager in the **Permissions** portion of the **Security** menu. By default, the SYSTEM account is granted Full Control permissions to all files on an NTFS volume. Here the SYSTEM account has the same functional rights and permissions as the Administrator account.
 
 > [!NOTE]
 > To grant the account Administrators group file permissions does not implicitly give permission to the SYSTEM account. The SYSTEM account's permissions can be removed from a file, but we do not recommend removing them.
 
-</details>
-<br>
-<details>
-<summary><b>NETWORK SERVICE </b></summary>
+## NETWORK SERVICE
 
 The NETWORK SERVICE account is a predefined local account used by the service control manager (SCM). A service that runs in the context of the NETWORK SERVICE account presents the computer's credentials to remote servers. For more information, see [NetworkService Account](/windows/desktop/services/networkservice-account).
-</details>
-<br>
-<details>
-<summary><b>LOCAL SERVICE</b></summary>
+
+## LOCAL SERVICE
 
 The LOCAL SERVICE account is a predefined local account used by the service control manager. It has minimum privileges on the local computer and presents anonymous credentials on the network. For more information, see [LocalService Account](/windows/desktop/services/localservice-account).
-</details>
 
 ## How to manage local user accounts
 
@@ -203,17 +177,15 @@ You can also manage local users by using NET.EXE USER and manage local groups by
 
 ### Restrict and protect local accounts with administrative rights
 
-An administrator can use many approaches to prevent malicious users from using stolen credentials such as a stolen password or password hash, for a local account on one computer from being used to authenticate on another computer with administrative rights. This is also called "lateral movement".
+An administrator can use many approaches to prevent malicious users from using stolen credentials such as a stolen password or password hash, for a local account on one computer from being used to authenticate on another computer with administrative rights. This is also called *lateral movement*.
 
 The simplest approach is to sign in to your computer with a standard user account, instead of using the Administrator account for tasks. For example, use a standard account to browse the Internet, send email, or use a word processor. When you want to perform administrative tasks such as installing a new program or changing a setting that affects other users, you don't have to switch to an Administrator account. You can use User Account Control (UAC) to prompt you for permission or an administrator password before performing the task, as described in the next section.
 
 The other approaches that can be used to restrict and protect user accounts with administrative rights include:
 
-- Enforce local account restrictions for remote access.
-
-- Deny network logon to all local Administrator accounts.
-
-- Create unique passwords for local accounts with administrative rights.
+- Enforce local account restrictions for remote access
+- Deny network logon to all local Administrator accounts
+- Create unique passwords for local accounts with administrative rights
 
 Each of these approaches is described in the following sections.
 
@@ -234,8 +206,6 @@ For more information about UAC, see [User Account Control](/windows/access-prote
 
 The following table shows the Group Policy and registry settings that are used to enforce local account restrictions for remote access.
 
-<!-- MicrosoftDocs/windows-itpro-docs/issues/7146 start line 254-->
-
 |No.|Setting|Detailed Description|
 |--- |--- |--- |
 ||Policy location|Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options|
@@ -251,7 +221,7 @@ The following table shows the Group Policy and registry settings that are used t
 
 > [!NOTE]
 > You can also enforce the default for LocalAccountTokenFilterPolicy by using the custom ADMX in Security Templates. 
- 
+
 #### To enforce local account restrictions for remote access
 
 1. Start the **Group Policy Management** Console (GPMC)
@@ -286,6 +256,7 @@ The following table shows the Group Policy and registry settings that are used t
 1. Test the functionality of enterprise applications on the workstations in that first OU and resolve any issues caused by the new policy
 1. Create links to all other OUs that contain workstations
 1. Create links to all other OUs that contain servers
+
 ### Deny network logon to all local Administrator accounts
 
 Denying local accounts the ability to perform network logons can help prevent a local account password hash from being reused in a malicious attack. This procedure helps to prevent lateral movement by ensuring that stolen credentials for local accounts from a compromised operating system can't be used to compromise other computers that use the same credentials.