Security Basics mailing list archives
RE: Removing Local Admin Accounts - What do you think?
From: "Bob Emerson" <remerson () ec rr com>
Date: Mon, 14 Jan 2008 18:52:38 -0500
There are other issues related to the administrator account. Some system processes run under that account and some programs, such a delprof run better under the administrator account rather than a system account. I agree with Brian that I would change the administrator account, use a temporary one for installation and set a GPO on your regular OU to set the account password to something that only your Domain Administrators know. Then add your regular administrators to the administrator group and allow them to log in that way. I don't believe that you can do anything with the SID as everyone knows a SID ending in -500 is the local admin account. Even renaming the account doesn't do any good. Read the SID. Auditing is always the best way to go. Turn it on and set it via GPO so that it will always be turned on every refresh. Do things via GPO and you won't have to worry about your local PC setup team forgetting anything important. Also, if you use SMS you can take your time and setup your image correctly each and every time. Bob Emerson, Network Administrator Durham VA Medical Center Durham, NC -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Worrell, Brian Sent: Monday, January 14, 2008 12:59 PM To: my.security.lists () gmail com; my.security.lists () gmail com; security-basics () securityfocus com Subject: RE: Removing Local Admin Accounts - What do you think? Rob,
From experience, IT people will need admin access to the local PC's, but
it was always best to add them to the admins group rather than share the admin account password. This allows you to have some logging (if you enable it of course) in the event that you have a security issue. As for the admin account it self, I would rename it, and limit who has that password. Not sure that this is a universal best practice, but have seen that done by some universities as well as some medical groups. Not sure that you can delete it completely though. End user wise, I have yet to find an application that could not run without admin rights. Saying that, you may have to run the old sysinteral apps to see what reg keys and file permissions need tweaked. Thanks Brian On Jan 13, 2008 7:19 PM, Rob Thompson <my.security.lists () gmail com> wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Dear List, I am looking for a general consensus from my peers. If you are able to answer this with definite knowledge and not an assumption and you fully understand what you are saying, please reply to this message. I
do not mean to be rude, but if you are not sure, please do not respond
to this message. I am asking this as I will be presenting this to a company, as they have proposed this idea and I want to show them exactly what they are considering getting themselves into. What is your professional opinion on removing the local administrator account? Does this pose a security risk to have a local administrator account on a computer, so that IT staff (which are the only people in the organization that are entitled to this user/pass) can do work on a computer in a way that can not be "securely" audited? What I mean by this is, they all use this one account (for emergencies only), instead
of using their own credentials over the network - thereby showing the local admin account was used, but not who used it. What are the risks involved in removing this account? Is this a general best practice, from a security point of view? If not, what is the best practice from a security point of view? Lastly, do you believe or not, that if the IT staff wanted to compromise a box, anonymously, would they really need this local administrator account on the box? Or would they still be able to do this, without the account there? Why? I sincerely appreciate your time and thank you in advance for any answers that you may pose. Also, if you see something that I did not consider in my questions, please feel free to include that as well. Please remember, if you think that this is a wise decision or not, PLEASE state your answers and why. - -- Rob +-=-=-=-=-=-=-=-=-=-=-=-=-=-=-+ | _ | | ASCII ribbon campaign ( ) | | - against HTML email X | | / \ | | | +-=-=-=-=-=-=-=-=-=-=-=-=-=-=-+ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (MingW32) iEYEARECAAYFAkeKZCsACgkQcfN68iZZIcf9SgCgii4WMWjE8upNop/TvA41sqpJ 2GgAoNnC7iU1OT8GAPVkouK0UlfHfqkN =67NY -----END PGP SIGNATURE-----
Current thread:
- Removing Local Admin Accounts - What do you think? Rob Thompson (Jan 14)
- Re: Removing Local Admin Accounts - What do you think? Colo Colo (Jan 14)
- RE: Removing Local Admin Accounts - What do you think? Nick Duda (Jan 14)
- RE: Removing Local Admin Accounts - What do you think? Worrell, Brian (Jan 14)
- RE: Removing Local Admin Accounts - What do you think? Bob Emerson (Jan 15)
- Re: Removing Local Admin Accounts - What do you think? Ansgar -59cobalt- Wiechers (Jan 14)
- Re: Removing Local Admin Accounts - What do you think? Rob Thompson (Jan 15)
- Re: Removing Local Admin Accounts - What do you think? Chris Barber (Jan 24)
- <Possible follow-ups>
- Re: Removing Local Admin Accounts - What do you think? Sheldon Malm (Jan 14)
- RE: Removing Local Admin Accounts - What do you think? Timmothy Lester (Jan 14)
- Re: Removing Local Admin Accounts - What do you think? Rob Thompson (Jan 30)
- Re: Removing Local Admin Accounts - What do you think? krymson (Jan 15)
- Re: Removing Local Admin Accounts - What do you think? Colo Colo (Jan 14)