[funsec] Removing Local Administrator Account

Dude VanWinkle dudevanwinkle at gmail.com
Sun Jan 13 23:36:50 CST 2008

On Jan 13, 2008 2:27 PM, Rob Thompson <my.security.lists at gmail.com> wrote:
> What is your professional opinion on removing the local administrator
> account?

Of course this depends on the size of your organization. For smaller
ones with only a few admins and one subnet, I have turned off local
authentication entirely (winlogon vs netlogon) with no ill effects.
For larger organizations, you should be giving your desktop admins
individual accounts for tracking purposes. I wouldn't worry too much
about removing the admin account, but I would give it a long and
complex password and make sure to remove the hash of that password in
the registry and remember to set your cached logins to 1 only (which
should mostly be the person the workstation is assigned to in case of
network/server failure. Also make sure your local admins have the user
log on right after they do, or manually delete that entry in the
registry before logging off. Are you allowed to have multiple
sentences inside parenthesis? Oh well..).

Some things on windows boxen can only be done by the original admin
account (especially on Vista), you can get around a lot of that with
xcacls/cacls and some registry acl changes/group policy settings, just
depends on how much effort you want to put into it.

> Does this pose a security risk to have a local administrator account on
> a computer, so that IT staff (which are the only people in the
> organization that are entitled to this user/pass) can do work on a
> computer in a way that can not be "securely" audited?


> What I mean by
> this is, they all use this one account (for emergencies only), instead
> of using their own credentials over the network - thereby showing the
> local admin account was used, but not who used it.


> What are the risks involved in removing this account?

Some hacks may not work properly

> Is this a general best practice, from a security point of view?

Maybe :-)

> If not, what is the best practice from a security point of view?

Other stuff ;-)

> Lastly, do you believe or not, that if the IT staff wanted to compromise
> a box, anonymously, would they really need this local administrator
> account on the box?  Or would they still be able to do this, without the
> account there?  Why?

Yes. Because, if you have admin access, you can't really stop them
from compromising the workstation and hiding it. If they are really
smart/skilled that is. You should have extra layers around your
servers to detect these internal attacks from IT staff that are
independent from the workstations reporting to you. Real time
workstation log monitoring would be nice, but you better have
unimaginable amounts of storage and bandwidth.

Servers are a whole different discussion.. and a lot longer..


More information about the funsec mailing list