This question is in reference to @SwiftOnSecurity’s Twitter thread: https://twitter.com/SwiftOnSecurity/status/655208224572882944
After reading through the thread, I still don’t quite get why you would want to disable network login for local accounts.
So here is what I’m thinking, please correct me where I am wrong:
Say I have an AD set up with a DC and multiple clients. One of the clients is John. So in the morning, John goes into work, and logs into his desktop PC with the AD credentials. At noon, John heads out for a meeting, and ‘locks’ his computer (windows + L). He then needs to connect to his PC back at the office using his personal laptop remotely (via RDP or something). However, using this new policy, he won’t be able to do so.
The explanation that Securitay gives is that the passwords are not salted. However, how would an attacker gain access in this case? On which end is the password not salted? Or is the situation I have in my mind completely unrelated to what she is trying to say? If this is the case, what is she actually trying to say?