RE: Removing Local Admin Accounts - What do you think?

["Nick Duda" <nduda () VistaPrint com>]

Correct me if I am wrong, but you cant delete the Local Admin account on a Windows box. You can disable and/or change 
the password, even flag it to not login, but you cant delete it (I havent tried while writing this email).

I was in teh same boat a couple years ago with the whole "who has local admin rights...etc" situation. Everyone has 
different appraoches, some fast and easy, some long and expensive. (not affiliated by any means) I started to use a 
product from DesktopStandard called Application Security to help control this Least-Privledge environement, it worked 
out very nice. Basically no admin right for anyone, but if a task was needed that required admin rights, it was 
escalated in the bacground....almost like a run-as, but its much more in depth and all done on a service / GPO level.

As far as IT Admins/Helpdesk and Admin passwords/logins are concerned, you really have to rely on your InfoSec policies 
here. With proper logging and access control (DACL's, IDS, syslogging all applications and devices...etc) its very hard 
to mix the word "anonymous" with local staff.


-----Original Message-----
From: listbounce () securityfocus com on behalf of Colo Colo
Sent: Mon 1/14/2008 11:40 AM
To: my.security.lists () gmail com; security-basics () securityfocus com
Subject: Re: Removing Local Admin Accounts - What do you think?
 
Hi Rob,
in my experience a best practice is to grant your desktop support
people the necessary admin rights on the workstations, then they can
log in the boxes to work with their own credentials (as long as the
computer can get to the DC for authentication purposes)

The local admin account poses a high risk in terms of workstations
administration: you will never be completely sure about what's
installed on the computers or which services are running or not (like
removing an antivirus through the registry) That's something users
can't do without admin rights.

On the other hand it brings to the table an important increase on the
required administrative workforce (that can be mitigated with the
right tools anyway)

Compromise is a big arena: anybody can compromise a box by exploiting
a service running like system and they will have admin rights in a
very stealth way (That's why is utterly important to have a good
patching policy/process)

Also, unless you are concentrating users logs somewhere, this is not a
reliable option to investigate security breaches. May help, but it's
not reliable.

I may be missing something, so feel free to moan. :)

C.

On Jan 13, 2008 7:19 PM, Rob Thompson <my.security.lists () gmail com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Dear List,
>
> I am looking for a general consensus from my peers.  If you are able to
> answer this with definite knowledge and not an assumption and you fully
> understand what you are saying, please reply to this message.  I do not
> mean to be rude, but if you are not sure, please do not respond to this
> message.
>
> I am asking this as I will be presenting this to a company, as they have
> proposed this idea and I want to show them exactly what they are
> considering getting themselves into.
>
> What is your professional opinion on removing the local administrator
> account?
>
> Does this pose a security risk to have a local administrator account on
> a computer, so that IT staff (which are the only people in the
> organization that are entitled to this user/pass) can do work on a
> computer in a way that can not be "securely" audited?  What I mean by
> this is, they all use this one account (for emergencies only), instead
> of using their own credentials over the network - thereby showing the
> local admin account was used, but not who used it.
>
> What are the risks involved in removing this account?
>
> Is this a general best practice, from a security point of view?
>
> If not, what is the best practice from a security point of view?
>
> Lastly, do you believe or not, that if the IT staff wanted to compromise
> a box, anonymously, would they really need this local administrator
> account on the box?  Or would they still be able to do this, without the
> account there?  Why?
>
> I sincerely appreciate your time and thank you in advance for any
> answers that you may pose.  Also, if you see something that I did not
> consider in my questions, please feel free to include that as well.
>
> Please remember, if you think that this is a wise decision or not,
> PLEASE state your answers and why.
>
>
> - --
> Rob
>
> +-=-=-=-=-=-=-=-=-=-=-=-=-=-=-+
> |                         _   |
> |  ASCII ribbon campaign ( )  |
> |   - against HTML email  X   |
> |                        / \  |
> |                             |
> +-=-=-=-=-=-=-=-=-=-=-=-=-=-=-+
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.8 (MingW32)
>
> iEYEARECAAYFAkeKZCsACgkQcfN68iZZIcf9SgCgii4WMWjE8upNop/TvA41sqpJ
> 2GgAoNnC7iU1OT8GAPVkouK0UlfHfqkN
> =67NY
> -----END PGP SIGNATURE-----