funsec mailing list archives
Re: Removing Local Administrator Account
From: "Dude VanWinkle" <dudevanwinkle () gmail com>
Date: Mon, 14 Jan 2008 00:36:50 -0500
On Jan 13, 2008 2:27 PM, Rob Thompson <my.security.lists () gmail com> wrote:
-----BEGIN PGP SIGNED MESSAGE----- What is your professional opinion on removing the local administrator account?
Of course this depends on the size of your organization. For smaller ones with only a few admins and one subnet, I have turned off local authentication entirely (winlogon vs netlogon) with no ill effects. For larger organizations, you should be giving your desktop admins individual accounts for tracking purposes. I wouldn't worry too much about removing the admin account, but I would give it a long and complex password and make sure to remove the hash of that password in the registry and remember to set your cached logins to 1 only (which should mostly be the person the workstation is assigned to in case of network/server failure. Also make sure your local admins have the user log on right after they do, or manually delete that entry in the registry before logging off. Are you allowed to have multiple sentences inside parenthesis? Oh well..). Some things on windows boxen can only be done by the original admin account (especially on Vista), you can get around a lot of that with xcacls/cacls and some registry acl changes/group policy settings, just depends on how much effort you want to put into it.
Does this pose a security risk to have a local administrator account on a computer, so that IT staff (which are the only people in the organization that are entitled to this user/pass) can do work on a computer in a way that can not be "securely" audited?
Yes
What I mean by this is, they all use this one account (for emergencies only), instead of using their own credentials over the network - thereby showing the local admin account was used, but not who used it.
Yes
What are the risks involved in removing this account?
Some hacks may not work properly
Is this a general best practice, from a security point of view?
Maybe :-)
If not, what is the best practice from a security point of view?
Other stuff ;-)
Lastly, do you believe or not, that if the IT staff wanted to compromise a box, anonymously, would they really need this local administrator account on the box? Or would they still be able to do this, without the account there? Why?
Yes. Because, if you have admin access, you can't really stop them from compromising the workstation and hiding it. If they are really smart/skilled that is. You should have extra layers around your servers to detect these internal attacks from IT staff that are independent from the workstations reporting to you. Real time workstation log monitoring would be nice, but you better have unimaginable amounts of storage and bandwidth. Servers are a whole different discussion.. and a lot longer.. -JP _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Removing Local Administrator Account Rob Thompson (Jan 13)
- Re: Removing Local Administrator Account Dude VanWinkle (Jan 14)
- Re: Removing Local Administrator Account Rob Thompson (Jan 14)
- Re: Removing Local Administrator Account Rob Thompson (Jan 29)