Re: Local Admin Accounts

[Eric Case <ecase () EMAIL ARIZONA EDU>]

Please see inline responses .



Eric Case, CISSP

eric (at) ericcase (dot) com

http://www.linkedin.com/in/ericcase



From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of King, Ronald A.
Sent: Wednesday, September 16, 2009 10:20 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Local Admin Accounts



I would like to inquire as to what other Universities are doing with regard
to local admin accounts in Windows domain.  We are contemplating removing or
disabling local administrator accounts across the board and use a
Workstation Administrators group in Active Directory.



1.       Has anyone disabled the local Administrator account?

[Eric Case] Yes, Vista and 7, the local admin account disable it by default.
You can access the disabled account from in safe mode..



2.       How do you handle when a machine can no longer talk to the network
or domain, whether a hardware failure or lost trust?

[Eric Case] Safe mode.



3.       If a machine loses its trust with the domain, what cause this?

[Eric Case] I usually saw this when a different machine was added to the
domain with the same name and the machine account was stepped on.



4.       Is there a method of creating a unique password for each machine
for the administrator account, or someway of not having to give out one
password that gives someone access to anything and everything?

[Eric Case] Yes, you can do this by hand, via a script or commercial tool.



5.       Any other advice?

[Eric Case] Have fun.  :-)



Ronald King

Security Engineer

Norfolk State University

Marie V. McDemmond Center for Applied Research

Suite 401

700 Park Ave.

Norfolk, Virginia  23504

Phone:  757-823-3918

Fax: 757-823-2128

Email: raking () nsu edu

http://security.nsu.edu