We are all too familiar with the local administrator account that gets created automatically when installing a Windows computer. The local admin is all too powerful but restricted only to that local computer. The account offers complete control over files, folders, services, and local user permissions management. The local admins can install any software, modify or disable security settings, transfer data, and create any number of new local admins.

Local accounts with administrator privileges are considered necessary to be able to run system updates, software upgrades, and hardware usage. They are also helpful to gain local access to machines when the network goes down and when your organization faces some technical glitches.

From a security perspective, local admin accounts by themselves won’t cause major issues. But not managing them properly can have serious repercussions. We live in a period where social engineering attacks are used as a primary mode to trap people to fall prey and expose their credentials. All that a hacker needs to execute a massive attack is gaining access to a local admin account. It takes just one compromised Windows host for an attacker to move laterally in your network and wreak havoc.

Over 90% of the vulnerabilities in Windows arise due to local admin rights. Why is it so?

Before analyzing the security risks associated with improper management of local admin accounts, let’s review some common practices.

Do you know the number of local admin accounts you have in your organization?

Most likely, the answer would be ‘no.’ You are not alone. Even some very large organizations with mature security models do not have this visibility. Consider a Windows environment with hundreds of machines. If there is no visibility on the number of local admin accounts and how they are being used, it is undoubtedly the starting point for major security issues.

One password to unlock any local admin account

It is very common to see the same password assigned to all/most local administrator accounts in the organization. It makes the life of IT staff and helpdesk technicians very easy. When Windows machines are deployed in bulk, sometimes the configuration is done by creating a Windows image with a local admin account. The image is pushed on all machines.

When doing so, all the machines get the same password, which is usually ignored or forgotten. A few other organizations follow the practice of assigning identical passwords that follow a set pattern. When one password is known, it is not tough to guess other passwords. All that hackers need is just one local admin password.

Let’s now take a deep look into some of the security risks.

Pass-the-hash attacks and lateral movement

Windows caches the passwords as hashes to facilitate single sign-on. If an attacker gains access to a system (say, through a social engineering attack), all that is needed is to pass the hashes. The attacker need not even try to get the password in plain-text. Hash dump tools like Mimikatz will get them the hashes. Just the hash is enough for successful authentication. If the hacker could get the hash of one local admin account, lateral movement becomes easy as most of the devices are assigned with the same password.

The situation becomes worse if the machine was previously accessed using domain administrator credentials. The attacker could get the hashes of the domain admin credentials.

Risk of malware entry

The most typical malware transmission modes are the installation of unapproved software, downloading an email attachment, and visiting malicious websites. Most of the malicious software generally runs with the same rights as the user who is logged on. Local admin rights allow the code to be run on local machines with full privileges without user notifications exposing the organization to a broader attack. Malware generally requires elevated privileges to gain a foothold on machines.

Bypass security settings, run exploit code

The all-powerful local admin access allows hackers to bypass critical security settings, delete system logs, impersonate other logged-on accounts, run exploit code or tools, and eventually gain access to sensitive data. If the system runs applications with system privileges (typically scheduled tasks running applications and processes), attackers could simply attach malicious software to the existing applications and run them silently. Not just external hackers, even an internal user with malicious intent could try to attack if your organization password policies are weak or not appropriately managed.

These are just a few examples of the major security risks and attack patterns. The possibilities are endless and limited only to the imagination and technical expertise of the hacker.

Time and again, hackers are seen exploiting weaknesses and vulnerabilities in the configurations related to local admin accounts. What do we need to do to protect?

How do we mitigate the security risks?

It is evident that local admin accounts carry significant security risks, and improper management could lead to disastrous situations. In sophisticated attacks, hackers dwell undetected for a prolonged time.

The mitigation strategy could be approached from two perspectives:

1. Eliminate the local admin accounts altogether; make everyone a standard user. But this approach leads to the introduction of the ‘request-approval’ concept. Employees might have to wait for permissions resulting in delays, productivity loss, and frustrations. Is there a way to eliminate local admin accounts, overcome these hurdles and make the process seamless?
2. Retain the accounts, manage them properly. While this approach proves to be very convenient, it requires careful planning, management, and maintenance to mitigate the risks. The passwords should be strong, unique, and periodically changed. Endusers should be educated about the implications of their activities as local admin and the associated security risks. Is there a way to automate the management of the local admin accounts and reduce the risks?

Let us analyze the second approach first. While retaining the local admin accounts, how to enforce the best practices?

When deciding to retain the local admin accounts, the foremost thing to be done is to minimize the number of local admin accounts - unnecessary accounts should be removed. Then a strong password policy should be enforced. You shouldn’t end up storing the passwords on text files or spreadsheets. Managing passwords manually is next to impossible and major security risk in itself. There are two ways in which you can properly and efficiently manage the local admin accounts.

1. Using Microsoft Local Administrator Password Solution (LAPS)
2. Deploying a Privileged Account Management (PAM) Solution

Let us discuss the pros and cons of the two approaches in the next part.