Raja Viswanathan
Mar 19 · 4 min read
We are all too familiar with the local administrator account that gets created automatically when installing a Windows computer. The local admin is all too powerful but restricted only to that local computer. The account offers complete control over files, folders, services, and local user permissions management. The local admins can install any software, modify or disable security settings, transfer data, and create any number of new local admins.
Local accounts with administrator privileges are considered necessary to be able to run system updates, software upgrades, and hardware usage. They are also helpful to gain local access to machines when the network goes down and when your organization faces some technical glitches.
From a security perspective, local admin accounts by themselves won’t cause major issues. But not managing them properly can have serious repercussions. We live in a period where social engineering attacks are used as a primary mode to trap people to fall prey and expose their credentials. All that a hacker needs to execute a massive attack is gaining access to a local admin account. It takes just one compromised Windows host for an attacker to move laterally in your network and wreak havoc.
Over 90% of the vulnerabilities in Windows arise due to local admin rights. Why is it so?
Before analyzing the security risks associated with improper management of local admin accounts, let’s review some common practices.
Do you know the number of local admin accounts you have in your organization?
Most likely, the answer would be ‘no.’ You are not alone. Even some very large organizations with mature security models do not have this visibility. Consider a Windows environment with hundreds of machines. If there is no visibility on the number of local admin accounts and how they are being used, it is undoubtedly the starting point for major security issues.
One password to unlock any local admin account
It is very common to see the same password assigned to all/most local administrator accounts in the organization. It makes the life of IT staff and helpdesk technicians very easy. When Windows machines are deployed in bulk, sometimes the configuration is done by creating a Windows image with a local admin account. The image is pushed on all machines.
When doing so, all the machines get the same password, which is usually ignored or forgotten. A few other organizations follow the practice of assigning identical passwords that follow a set pattern. When one password is known, it is not tough to guess other passwords. All that hackers need is just one local admin password.
Let’s now take a deep look into some of the security risks.
Pass-the-hash attacks and lateral movement
Windows caches the passwords as hashes to facilitate single sign-on. If an attacker gains access to a system (say, through a social engineering attack), all that is needed is to pass the hashes. The attacker need not even try to get the password in plain-text. Hash dump tools like Mimikatz will get them the hashes. Just the hash is enough for successful authentication. If the hacker could get the hash of one local admin account, lateral movement becomes easy as most of the devices are assigned with the same password.
The situation becomes worse if the machine was previously accessed using domain administrator credentials. The attacker could get the hashes of the domain admin credentials.
Risk of malware entry
The most typical malware transmission modes are the installation of unapproved software, downloading an email attachment, and visiting malicious websites. Most of the malicious software generally runs with the same rights as the user who is logged on. Local admin rights allow the code to be run on local machines with full privileges without user notifications exposing the organization to a broader attack. Malware generally requires elevated privileges to gain a foothold on machines.
Bypass security settings, run exploit code
The all-powerful local admin access allows hackers to bypass critical security settings, delete system logs, impersonate other logged-on accounts, run exploit code or tools, and eventually gain access to sensitive data. If the system runs applications with system privileges (typically scheduled tasks running applications and processes), attackers could simply attach malicious software to the existing applications and run them silently. Not just external hackers, even an internal user with malicious intent could try to attack if your organization password policies are weak or not appropriately managed.
These are just a few examples of the major security risks and attack patterns. The possibilities are endless and limited only to the imagination and technical expertise of the hacker.
Time and again, hackers are seen exploiting weaknesses and vulnerabilities in the configurations related to local admin accounts. What do we need to do to protect?
How do we mitigate the security risks?
It is evident that local admin accounts carry significant security risks, and improper management could lead to disastrous situations. In sophisticated attacks, hackers dwell undetected for a prolonged time.
The mitigation strategy could be approached from two perspectives:
- Eliminate the local admin accounts altogether; make everyone a standard user. But this approach leads to the introduction of the ‘request-approval’ concept. Employees might have to wait for permissions resulting in delays, productivity loss, and frustrations. Is there a way to eliminate local admin accounts, overcome these hurdles and make the process seamless?
- Retain the accounts, manage them properly. While this approach proves to be very convenient, it requires careful planning, management, and maintenance to mitigate the risks. The passwords should be strong, unique, and periodically changed. Endusers should be educated about the implications of their activities as local admin and the associated security risks. Is there a way to automate the management of the local admin accounts and reduce the risks?
Let us analyze the second approach first. While retaining the local admin accounts, how to enforce the best practices?
When deciding to retain the local admin accounts, the foremost thing to be done is to minimize the number of local admin accounts - unnecessary accounts should be removed. Then a strong password policy should be enforced. You shouldn’t end up storing the passwords on text files or spreadsheets. Managing passwords manually is next to impossible and major security risk in itself. There are two ways in which you can properly and efficiently manage the local admin accounts.
- Using Microsoft Local Administrator Password Solution (LAPS)
- Deploying a Privileged Account Management (PAM) Solution
Let us discuss the pros and cons of the two approaches in the next part.
Recent Topics
-
Identity thefts and data breaches - The aftermath of privileged access mismanagement
Cybersecurity is a growing concern for businesses of all sizes, as advanced hackers and cybercriminals...
Zaheeruddin Ahmed
Dec 27 · 4 min read
-
Spate of cyberattacks rock the land down under
Lack of API security, exposed credentials, and misuse of privileged access continue to cause harm...
Rajaraman Viswanathan
Nov 25 · 4 min read
-
Make this Thanksgiving a memorable one. Treat yourself to a surprise!
We're planning to make this year's Thanksgiving extra special.
Zaheeruddin Ahmed
Nov 21 · 2 min read
-
The Spooky Season is here early! Recent data breaches re-emphasize the significance of password security
As Halloween is dedicated to remembering the martyred, organizations falling victim to data breaches remind us...
Shyam Senthilnathan
Oct 20 · 4 min read
-
We're at GITEX, Dubai. Come, meet us!
Are you planning to participate in GITEX, Dubai? If yes, this is a great opportunity to meet our product experts and get a ...
Zaheeruddin Ahmed
Oct 10 · 2 min read
-
May God defend me from my friends
As stories of trusted insiders causing information security breaches continue to unfold, it’s time organizations woke up to...
Raja Viswanathan
Dec 21 · 4 min read
-
Ransomware attack on Colonial Pipeline: Executing cyberattacks, now a child's play!
With the easy availability billions of compromised credentials on the dark web, and the practice of password reuse rampant, hackers...
Balasubramanian Venkatramani
jun 7 · 5 min read
-
Eliminating Admin Rights and Controlling Applications (Part 3)
One of the most effective approaches to reducing risks is eliminating the local admin accounts altogether and...
Raja Viswanathan
May 17 · 4 min read
-
Looking for a Passwordstate alternative?
Passwordstate, an enterprise password manager developed by Click Studios, suffered a supply chain attack between...
Jithukrishnan
Apr 30 · 3 min read
-
Local Admin Accounts Management: Microsoft LAPS Vs. PAM (Part-2)
In the previous post, we dealt with the importance of local admin accounts, the associated security risks, and...
Raja Viswanathan
Apr 06 · 3 min read
-
Top 10 password policy recommendations for sysadmins in 2021
Passwords are omnipresent in our personal and business digital environments. An average person has at least...
Jithukrishnan
Apr 01 · 6 min read
-
Local Admin Accounts - Security Risks and Best Practices (Part 1)
We are all too familiar with the local administrator account that gets created automatically when installing a Windows...
Raja Viswanathan
Mar 19 · 4 min read
-
Poor password security practices cause massive security breaches
Weak passwords, password reuse, password sharing, hard-coded credentials, lax measures to storing credentials...
Balasubramanian Venkatramani
Mar 13 · 6 min read