I was using Metasploit on an internal test (it’s been a while as I meant to write this up some time ago) and I came across the following issue when attempting to gain access to a Windows 7 system via a remote PSExec/Meterpreter session with a compromised local administrator account hash; ‘The server responded with error: STATUS_ACCESS_DENIED (Command=117)‘.
It dawned on me that the newer versions of Windows (7 and 2008) don’t allow remote access to administrative shares such as ADMIN$, C$ etc from untrusted systems (update: 28/06/16 excluding the ‘default’ local administrator RID 500 acct). I searched a little and found the following. This should be added to the victims registry:
- Add a new DWORD (32-bit) key named ‘ LocalAccountTokenFilterPolicy’ and set the value to 1
Obviously this assumes that you have some means to interact with the victim system/update the registry etc, but nonetheless it’s handy to know if/when you come across such an issue during an engagement.