Re: Removing Local Admin Accounts - What do you think?

[krymson () gmail com]

disclaimer: I don't have knowledge of anything specific to Vista, if that is your OS in question.

1) The only way I know of to "remove" the default "Administrator" account from a local system is to set it to some 
large, complex, unique, unpredictable password. Then either lose the password or split it up so no single person knows 
the whole password. Pretty overkill, but possible. Liken this to trying to remove "root" from Unix...

2) It sounds like this company wants to know which IT admin is doing maintenance on the systems--a pretty common audit 
requirement. You can let them use their network credentials which can be auditable.

3) When the system is off the network or has a broken network, what do you do? Hopefully an admin has been on recently 
(depending on the number of cached logon credentials) and is available. If not, you might just screw yourself. 
Likewise, if you have a compromised system that a good admin has immediately unplugged from the network, do you have a 
means of getting in to diagnose it?

4) I would suspect that any shop really concerned about this action is large enough to have some sort of centralized 
management or security software. What credentials do these tools run under, what can they do, and who has access either 
to the account or the password? For example, if you use Altiris for system management and you have 10 Altiris admins, 
when someone installs something through Altiris it can be difficult to ascertain who did it.

5) Any person who has local administrator rights on a box has the right to change that local administrator account back 
to some known password (or create a new account). Say George is a rogue IT admin. He logs into someone's box and 
changes the password, then uses the Admin account for his nefarious deeds. What if he has AD Group Policy access? He 
could just update it there and mass change everyone to something he knows. Or run a script to change everyone...  If 
normal users have local admin rights, can an IT admin trick them into reseting the default admin password with a simple 
call?

6) IT admins also typically have physical access to these devices. Do they have the means and ability to remove the 
disk, mount it somewhere else, and reset the admin account? Even if you have BIOS and disk and encryption passwords, 
I'd bet they know all those passwords as well (although each step an attacker has to take is another chance to catch 
them in the logs/audits).


I would say the biggest question is what is the company really trying to accomplish with this approach? Auditing? 
Protection against worms and low level attacks? Mistrust of IT admins (indicative of either outside regulations or HR 
failings)? I would steer towards logging everything to a central location. And then active means like obfuscating the 
admin account only as extra measures.

Your IT admins have a LOT of access. We don't like to think about it or talk about it, but it's true. They have access, 
insider knowledge, and technical knowledge. All you need is motivation and a disregard of ethics, and you're faced with 
an extremely difficult-to-prevent insider attacker. Not the kind of thing most companies can truly stop, nor maybe 
realistically should be stopping.


<- snip ->
What is your professional opinion on removing the local administrator
account?

Does this pose a security risk to have a local administrator account on
a computer, so that IT staff (which are the only people in the
organization that are entitled to this user/pass) can do work on a
computer in a way that can not be "securely" audited? What I mean by
this is, they all use this one account (for emergencies only), instead
of using their own credentials over the network - thereby showing the
local admin account was used, but not who used it.

What are the risks involved in removing this account?

Is this a general best practice, from a security point of view?

If not, what is the best practice from a security point of view?

Lastly, do you believe or not, that if the IT staff wanted to compromise
a box, anonymously, would they really need this local administrator
account on the box? Or would they still be able to do this, without the
account there? Why?