Security Basics mailing list archives
Re: Removing Local Admin Accounts - What do you think?
From: Ansgar -59cobalt- Wiechers <bugtraq () planetcobalt net>
Date: Mon, 14 Jan 2008 17:42:12 +0100
On 2008-01-13 Rob Thompson wrote:
I am asking this as I will be presenting this to a company, as they have proposed this idea and I want to show them exactly what they are considering getting themselves into. What is your professional opinion on removing the local administrator account?
Don't do it. The local administrator account exists for local system administration and troubleshooting purposes, e.g. in situations where for some reason the box is unable to access the network.
Does this pose a security risk to have a local administrator account on a computer, so that IT staff (which are the only people in the organization that are entitled to this user/pass) can do work on a computer in a way that can not be "securely" audited? What I mean by this is, they all use this one account (for emergencies only), instead of using their own credentials over the network - thereby showing the local admin account was used, but not who used it.
Yes, that is possible. However, anyone with administrative privileges is able to bypass auditing measures anyway.
What are the risks involved in removing this account?
See above.
Is this a general best practice, from a security point of view?
Not that I'm aware of.
If not, what is the best practice from a security point of view?
Give administrative privileges only to trusted persons. Use strong passwords for local admin accounts and change them on a regular basis.
Lastly, do you believe or not, that if the IT staff wanted to compromise a box, anonymously, would they really need this local administrator account on the box? Or would they still be able to do this, without the account there? Why?
Yes, they can do that anyway, e.g. by booting some other system from removable media. Regards Ansgar Wiechers -- "All vulnerabilities deserve a public fear period prior to patches becoming available." --Jason Coombs on Bugtraq
Current thread:
- Removing Local Admin Accounts - What do you think? Rob Thompson (Jan 14)
- Re: Removing Local Admin Accounts - What do you think? Colo Colo (Jan 14)
- RE: Removing Local Admin Accounts - What do you think? Nick Duda (Jan 14)
- RE: Removing Local Admin Accounts - What do you think? Worrell, Brian (Jan 14)
- RE: Removing Local Admin Accounts - What do you think? Bob Emerson (Jan 15)
- Re: Removing Local Admin Accounts - What do you think? Ansgar -59cobalt- Wiechers (Jan 14)
- Re: Removing Local Admin Accounts - What do you think? Rob Thompson (Jan 15)
- Re: Removing Local Admin Accounts - What do you think? Chris Barber (Jan 24)
- <Possible follow-ups>
- Re: Removing Local Admin Accounts - What do you think? Sheldon Malm (Jan 14)
- RE: Removing Local Admin Accounts - What do you think? Timmothy Lester (Jan 14)
- Re: Removing Local Admin Accounts - What do you think? Rob Thompson (Jan 30)
- Re: Removing Local Admin Accounts - What do you think? krymson (Jan 15)
- Re: Removing Local Admin Accounts - What do you think? Colo Colo (Jan 14)