On 2008-01-13 Rob Thompson wrote:
I am asking this as I will be presenting this to a company, as they
have proposed this idea and I want to show them exactly what they are
considering getting themselves into.
What is your professional opinion on removing the local administrator
account?
Don't do it. The local administrator account exists for local system
administration and troubleshooting purposes, e.g. in situations where
for some reason the box is unable to access the network.
Does this pose a security risk to have a local administrator account
on a computer, so that IT staff (which are the only people in the
organization that are entitled to this user/pass) can do work on a
computer in a way that can not be "securely" audited? What I mean by
this is, they all use this one account (for emergencies only), instead
of using their own credentials over the network - thereby showing the
local admin account was used, but not who used it.
Yes, that is possible. However, anyone with administrative privileges is
able to bypass auditing measures anyway.
What are the risks involved in removing this account?
See above.
Is this a general best practice, from a security point of view?
Not that I'm aware of.
If not, what is the best practice from a security point of view?
Give administrative privileges only to trusted persons. Use strong
passwords for local admin accounts and change them on a regular basis.
Lastly, do you believe or not, that if the IT staff wanted to
compromise a box, anonymously, would they really need this local
administrator account on the box? Or would they still be able to do
this, without the account there? Why?
Yes, they can do that anyway, e.g. by booting some other system from
removable media.
Regards
Ansgar Wiechers
--
"All vulnerabilities deserve a public fear period prior to patches
becoming available."
--Jason Coombs on Bugtraq
