Raja Viswanathan
Mar 19 · 4 min read
We are all too familiar with the local administrator account that gets created automatically when installing a Windows computer. The local admin is all too powerful but restricted only to that local computer. The account offers complete control over files, folders, services, and local user permissions management. The local admins can install any software, modify or disable security settings, transfer data, and create any number of new local admins.
Local accounts with administrator privileges are considered necessary to be able to run system updates, software upgrades, and hardware usage. They are also helpful to gain local access to machines when the network goes down and when your organization faces some technical glitches.
From a security perspective, local admin accounts by themselves won’t cause major issues. But not managing them properly can have serious repercussions. We live in a period where social engineering attacks are used as a primary mode to trap people to fall prey and expose their credentials. All that a hacker needs to execute a massive attack is gaining access to a local admin account. It takes just one compromised Windows host for an attacker to move laterally in your network and wreak havoc.
Before analyzing the security risks associated with improper management of local admin accounts, let’s review some common practices.
Most likely, the answer would be ‘no.’ You are not alone. Even some very large organizations with mature security models do not have this visibility. Consider a Windows environment with hundreds of machines. If there is no visibility on the number of local admin accounts and how they are being used, it is undoubtedly the starting point for major security issues.
It is very common to see the same password assigned to all/most local administrator accounts in the organization. It makes the life of IT staff and helpdesk technicians very easy. When Windows machines are deployed in bulk, sometimes the configuration is done by creating a Windows image with a local admin account. The image is pushed on all machines.
When doing so, all the machines get the same password, which is usually ignored or forgotten. A few other organizations follow the practice of assigning identical passwords that follow a set pattern. When one password is known, it is not tough to guess other passwords. All that hackers need is just one local admin password.
Let’s now take a deep look into some of the security risks.
Windows caches the passwords as hashes to facilitate single sign-on. If an attacker gains access to a system (say, through a social engineering attack), all that is needed is to pass the hashes. The attacker need not even try to get the password in plain-text. Hash dump tools like Mimikatz will get them the hashes. Just the hash is enough for successful authentication. If the hacker could get the hash of one local admin account, lateral movement becomes easy as most of the devices are assigned with the same password.
The situation becomes worse if the machine was previously accessed using domain administrator credentials. The attacker could get the hashes of the domain admin credentials.
The most typical malware transmission modes are the installation of unapproved software, downloading an email attachment, and visiting malicious websites. Most of the malicious software generally runs with the same rights as the user who is logged on. Local admin rights allow the code to be run on local machines with full privileges without user notifications exposing the organization to a broader attack. Malware generally requires elevated privileges to gain a foothold on machines.
The all-powerful local admin access allows hackers to bypass critical security settings, delete system logs, impersonate other logged-on accounts, run exploit code or tools, and eventually gain access to sensitive data. If the system runs applications with system privileges (typically scheduled tasks running applications and processes), attackers could simply attach malicious software to the existing applications and run them silently. Not just external hackers, even an internal user with malicious intent could try to attack if your organization password policies are weak or not appropriately managed.
These are just a few examples of the major security risks and attack patterns. The possibilities are endless and limited only to the imagination and technical expertise of the hacker.
Time and again, hackers are seen exploiting weaknesses and vulnerabilities in the configurations related to local admin accounts. What do we need to do to protect?
It is evident that local admin accounts carry significant security risks, and improper management could lead to disastrous situations. In sophisticated attacks, hackers dwell undetected for a prolonged time.
The mitigation strategy could be approached from two perspectives:
When deciding to retain the local admin accounts, the foremost thing to be done is to minimize the number of local admin accounts - unnecessary accounts should be removed. Then a strong password policy should be enforced. You shouldn’t end up storing the passwords on text files or spreadsheets. Managing passwords manually is next to impossible and major security risk in itself. There are two ways in which you can properly and efficiently manage the local admin accounts.
Let us discuss the pros and cons of the two approaches in the next part.
Local Admin Accounts Management: Microsoft LAPS Vs. PAM (Part-2)
In the previous post, we dealt with the importance of local admin accounts, the associated security risks, and...
Raja Viswanathan
Apr 06 · 3 min read
Top 10 password policy recommendations for sysadmins in 2021
Passwords are omnipresent in our personal and business digital environments. An average person has at least...
Jithukrishnan
Apr 01 · 6 min read
Local Admin Accounts - Security Risks and Best Practices (Part 1)
We are all too familiar with the local administrator account that gets created automatically when installing a Windows...
Raja Viswanathan
Mar 19 · 4 min read
Poor password security practices cause massive security breaches
Weak passwords, password reuse, password sharing, hard-coded credentials, lax measures to storing credentials...
Balasubramanian Venkatramani
Mar 13 · 6 min read
Florida Water Treatment Plant Hack: A Wake-Up Call to Strengthen Basic Security Measures, Password Hygiene
One of the worst fears of humanity came true last week. Ever since cyberattacks started increasing in variety affecting organizations...
Balasubramanian Venkatramani
Feb 13 · 4 min read
Remote work, pirated software, and local admin rights: A deadly cocktail
Endpoints are increasingly becoming an entry point for malware. It has been a common practice to grant local admin privileges to the end users on their ...
Raja Viswanathan
Dec 08 · 3 min read
Securden vs. Competitors: A Story of Point-and-Click Simplicity vs. Complex, Illusory Superiority
The story of how a large government agency eliminated admin privileges on endpoints and implemented on-demand application elevation using ...
Balasubramanian Venkatramani
Oct 29 · 3 min read