Educause Security Discussion mailing list archives
Re: Local Admin Accounts
From: Guy Pace <gpace () SBCTC EDU>
Date: Wed, 16 Sep 2009 11:03:54 -0700
Renaming the local administrator account is security by obscurity and doesn't accomplish anything. The account can still be access by the account's unique identifier (SID: S-1-5-######-500) in the OS and AD-and by live CDs used to reset or hack admin passwords. The account name is just a label, after all. It is best to set a strong, secure password on the account and strictly limit access to it. Audit for local admin login and know who is using that credential and why. Disabling the local administrator account, and not having another account (domain or local) in the local admin group, can make management of the individual system(s) very difficult. Also, adding a local account and putting it in the local administrator group does not make an account identical to the default local administrator account. The added account does not have the same unique identifier. To address the trust issue: The domain administrator group must be (and this is set by default when a system is joined to the domain) included in all local administrator groups. Without this, systems will drop off the domain. In a past life (way back when AD was new), some users felt that the domain admin group should not be part of their local admin group (paranoid faculty and HR directors, mostly) on their workstations and would remove them (yeah, they had elevated privs). We dropped _all_ users to power users, removed access to local policy and made sure that domain admin group was part of the local admin group. Some hard feelings abounded, but we stabilized the network and domain. Guy L. Pace, CISSP Security Administrator Information Technology Division WA State Board for Community and Technical Colleges (SBCTC) 3101 Northup Way, Suite 100 Bellevue, WA 98004 425-803-9724 gpace () sbctc edu From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Anand S Malwade Sent: Wednesday, September 16, 2009 10:25 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Local Admin Accounts For operational reasons it is not recommended to disable the administrator account. The best practice is to rename it to some other value. From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of King, Ronald A. Sent: Wednesday, September 16, 2009 1:20 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Local Admin Accounts I would like to inquire as to what other Universities are doing with regard to local admin accounts in Windows domain. We are contemplating removing or disabling local administrator accounts across the board and use a Workstation Administrators group in Active Directory. 1. Has anyone disabled the local Administrator account? 2. How do you handle when a machine can no longer talk to the network or domain, whether a hardware failure or lost trust? 3. If a machine loses its trust with the domain, what cause this? 4. Is there a method of creating a unique password for each machine for the administrator account, or someway of not having to give out one password that gives someone access to anything and everything? 5. Any other advice? Ronald King Security Engineer Norfolk State University Marie V. McDemmond Center for Applied Research Suite 401 700 Park Ave. Norfolk, Virginia 23504 Phone: 757-823-3918 Fax: 757-823-2128 Email: raking () nsu edu<mailto:raking () nsu edu> http://security.nsu.edu
Current thread:
- Local Admin Accounts King, Ronald A. (Sep 16)
- <Possible follow-ups>
- Re: Local Admin Accounts Anand S Malwade (Sep 16)
- Re: Local Admin Accounts Stanclift, Michael (Sep 16)
- Re: Local Admin Accounts Guy Pace (Sep 16)
- Re: Local Admin Accounts Gary Flynn (Sep 16)
- Re: Local Admin Accounts Gary Flynn (Sep 16)
- Re: Local Admin Accounts Mark Monroe (Sep 16)
- Re: Local Admin Accounts Strzelec, Wally (Sep 16)
- Re: Local Admin Accounts Steven Alexander (Sep 16)
- Re: Local Admin Accounts Smith, Bob (Sep 16)
- Re: Local Admin Accounts Gary Flynn (Sep 16)
- Re: Local Admin Accounts Manuel Amaral (Sep 16)
- Re: Local Admin Accounts Stanclift, Michael (Sep 16)
- Re: Local Admin Accounts Sweeny, Jonny (Sep 16)
(Thread continues...)