Re: Removing Local Admin Accounts - What do you think?

[Ansgar -59cobalt- Wiechers <bugtraq () planetcobalt net>]

On 2008-01-13 Rob Thompson wrote:
> I am asking this as I will be presenting this to a company, as they
> have proposed this idea and I want to show them exactly what they are
> considering getting themselves into.
>
> What is your professional opinion on removing the local administrator
> account?

Don't do it. The local administrator account exists for local system
administration and troubleshooting purposes, e.g. in situations where
for some reason the box is unable to access the network.

> Does this pose a security risk to have a local administrator account
> on a computer, so that IT staff (which are the only people in the
> organization that are entitled to this user/pass) can do work on a
> computer in a way that can not be "securely" audited? What I mean by
> this is, they all use this one account (for emergencies only), instead
> of using their own credentials over the network - thereby showing the
> local admin account was used, but not who used it.

Yes, that is possible. However, anyone with administrative privileges is
able to bypass auditing measures anyway.

> What are the risks involved in removing this account?

See above.

> Is this a general best practice, from a security point of view?

Not that I'm aware of.

> If not, what is the best practice from a security point of view?

Give administrative privileges only to trusted persons. Use strong
passwords for local admin accounts and change them on a regular basis.

> Lastly, do you believe or not, that if the IT staff wanted to
> compromise a box, anonymously, would they really need this local
> administrator account on the box?  Or would they still be able to do
> this, without the account there?  Why?

Yes, they can do that anyway, e.g. by booting some other system from
removable media.

Regards
Ansgar Wiechers
-- 
"All vulnerabilities deserve a public fear period prior to patches
becoming available."
--Jason Coombs on Bugtraq