Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Security-Basics
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Removing Local Admin Accounts - What do you think?

from [krymson] Network Security [Permanent Link]
Subject: Re: Removing Local Admin Accounts - What do you think?
Date: 15 Jan 2008 18:59:31 -0000 
disclaimer: I don't have knowledge of anything specific to Vista, if that is 
your OS in question.

1) The only way I know of to "remove" the default "Administrator" account from 
a local system is to set it to some large, complex, unique, unpredictable 
password. Then either lose the password or split it up so no single person 
knows the whole password. Pretty overkill, but possible. Liken this to trying 
to remove "root" from Unix...

2) It sounds like this company wants to know which IT admin is doing 
maintenance on the systems--a pretty common audit requirement. You can let them 
use their network credentials which can be auditable.

3) When the system is off the network or has a broken network, what do you do? 
Hopefully an admin has been on recently (depending on the number of cached 
logon credentials) and is available. If not, you might just screw yourself. 
Likewise, if you have a compromised system that a good admin has immediately 
unplugged from the network, do you have a means of getting in to diagnose it?

4) I would suspect that any shop really concerned about this action is large 
enough to have some sort of centralized management or security software. What 
credentials do these tools run under, what can they do, and who has access 
either to the account or the password? For example, if you use Altiris for 
system management and you have 10 Altiris admins, when someone installs 
something through Altiris it can be difficult to ascertain who did it.

5) Any person who has local administrator rights on a box has the right to 
change that local administrator account back to some known password (or create 
a new account). Say George is a rogue IT admin. He logs into someone's box and 
changes the password, then uses the Admin account for his nefarious deeds. What 
if he has AD Group Policy access? He could just update it there and mass change 
everyone to something he knows. Or run a script to change everyone...  If 
normal users have local admin rights, can an IT admin trick them into reseting 
the default admin password with a simple call?

6) IT admins also typically have physical access to these devices. Do they have 
the means and ability to remove the disk, mount it somewhere else, and reset 
the admin account? Even if you have BIOS and disk and encryption passwords, I'd 
bet they know all those passwords as well (although each step an attacker has 
to take is another chance to catch them in the logs/audits).


I would say the biggest question is what is the company really trying to 
accomplish with this approach? Auditing? Protection against worms and low level 
attacks? Mistrust of IT admins (indicative of either outside regulations or HR 
failings)? I would steer towards logging everything to a central location. And 
then active means like obfuscating the admin account only as extra measures.

Your IT admins have a LOT of access. We don't like to think about it or talk 
about it, but it's true. They have access, insider knowledge, and technical 
knowledge. All you need is motivation and a disregard of ethics, and you're 
faced with an extremely difficult-to-prevent insider attacker. Not the kind of 
thing most companies can truly stop, nor maybe realistically should be stopping.


<- snip ->
What is your professional opinion on removing the local administrator
account?

Does this pose a security risk to have a local administrator account on
a computer, so that IT staff (which are the only people in the
organization that are entitled to this user/pass) can do work on a
computer in a way that can not be "securely" audited? What I mean by
this is, they all use this one account (for emergencies only), instead
of using their own credentials over the network - thereby showing the
local admin account was used, but not who used it.

What are the risks involved in removing this account?

Is this a general best practice, from a security point of view?

If not, what is the best practice from a security point of view?

Lastly, do you believe or not, that if the IT staff wanted to compromise
a box, anonymously, would they really need this local administrator
account on the box? Or would they still be able to do this, without the
account there? Why?
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: RE: guest + private wlan, razigarbie
Next by Date:  Re: SSL VPN, Jason Thompson
Previous by Thread:  Re: Removing Local Admin Accounts - What do you think?, Rob Thompson
Next by Thread:  RE: eSafe quarantine: Is PCI Compliance Mandatory, Boaz Shunami
Indexes:  [Date] [Thread] [Top] [All Lists]