Educause Security Discussion mailing list archives

Re: Local Admin Access

From: Steven Alexander <steven.alexander () KCCD EDU>
Date: Fri, 14 May 2021 19:54:57 +0000

I missed this initially but since the thread is active now, I'll jump in.

We are working to eliminate users running as local admin. For staff who truly need it, including IT staff, we create a 
secondary account with local admin rights. We are also in the process of rolling out LAPS and plan to have it 
implemented everywhere within the next few weeks.

My concern isn't users abusing their privileges, it's that getting local admin is often a key step in compromising a 
domain. In particular, if you want to run mimikatz or another tool to dump credentials, you need local admin 
privileges. We're doing other things to protect against this (e.g. disabling Wdigest, using the protected users group) 
but local admin still matters.
If regular users accounts have local admin, or if users are using a local admin account as their daily driver, it 
provides an attacker with a much easier pathway if they are successful in compromising those user's machines (they 
don't have to find a way to escalate). It's a mistake to look at local admin rights as affecting only the security of 
individual machines. Managing local admin rights is important for the security of the whole network/domain.

Steven Alexander
Director of IT Security
Kern Community College District
________________________________
From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> on behalf of Emilie Kunze 
<ekunze () AUSTINCC EDU>
Sent: Wednesday, April 7, 2021 10:08 AM
To: SECURITY () LISTSERV EDUCAUSE EDU <SECURITY () LISTSERV EDUCAUSE EDU>
Subject: [SECURITY] Local Admin Access

We are curious how other institutions handle local admin access for faculty/staff?

Thank you,
Emilie


[https://linkprotect.cudasvc.com/url?a=https%3a%2f%2flh5.googleusercontent.com%2f8TGVFPsiEyy3_TXFjMAe-lCBkyXwyGevnGxIvGdvcCw3hjOZXmPHYbmZT0pi_gZG5RkwAY-Hr0A_XFdoepzZEFuNDmYnRMqD-9ud3Hyk-fMTIXJpmQ2qt5M1SGUDHcrQ6M_D9CrN&c=E,1,WUrx__Jup0wGDrm-g8sot3WdCAeTiwf8HTpWvbMl4Fnpo9lf4WFm9kMuyeWCdY2kdQDafkwG7XB6Jmcs7YFJam2DB91tILEZ5tYy1xFCAjs,&typo=1]<https://linkprotect.cudasvc.com/url?a=https%3a%2f%2faustincc.edu%2f&c=E,1,gKVH9FTo-lhK1-gU_tbpx5TuXDICwmJesRSmT0gjBD_PikfZplqW3f18jrtSAmN3pODAAumo_Rir6t5ZLRpYLXO3Tbc4kpDQMQFeVmUXW9B7pP1kwIz22w,,&typo=1>

Emilie Kunze

IT Security Analyst Sr.

Acting Information Security Officer

Office of Information Technology

ekunze () austincc edu<mailto:ekunze () austincc edu>  | o 512-223-1157

ACC Information 
Security<https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fit.austincc.edu%2fdepartments%2finformation-security%2f&c=E,1,-0jT9_WAX6ICKufqi_zp-lMAE6mTxfM7J8czsYIaDRFd_m6C5C5jSuESewIZq-9gOX71D0YPXB34whZfvbsrfuVSvLYaBRy88GWtzh8rNrUaHhMEOFU,&typo=1>

      
[https://linkprotect.cudasvc.com/url?a=https%3a%2f%2flh3.googleusercontent.com%2f3i9G30Fg3ZAiC3mZdiMpvQRradC3TjjCk-pdmKCGV_fzPcMSzNSQE7rf9y9DqgXUxJxxl35vf4rLx4n1kM_DpBsJJjbxv9EcmSmUwSHZdlZxsP2Dc_UngTyQv3pHCl6VhsG5Lfio&c=E,1,qv5kNrUnvte5w2AB0KBSyNoyg2-F3_Ee2OikT5C5CSDZiHKURlSNP-hB9fZFcWhYkdHnjDWJr8E8RA2W9ZE78fBMZjh7P8nKfXCyXCyaCOMh&typo=1]
 <https://www.facebook.com/accinfosec/>     
[https://linkprotect.cudasvc.com/url?a=https%3a%2f%2flh5.googleusercontent.com%2f-i9vIi5rgXE71dcrX6-3bGqGXXd0B3y8YE4Q25USF9da5jZ2Slz-TeACb7E26aea5om8HOq35WMxxecKyIBRBaAEAipDnYr8hice3MMzGl1G-l7r9tpbmZ8S_SCmCRsTJ8yWtK3l&c=E,1,xCVrLU-KrOnOTW6kQgCk8oe0SYR4eOh0YVZYFntpxCZaPmMOv9tuEgv0X2YpBicWjNGndc5IuxtCu_QrWZmB6Ii9yU3AvUgHPBAC1t9dTn8nqbaavddLKl4BxQ,,&typo=1]
 <https://twitter.com/ACCInfoSec>


                                                  CONFIDENTIAL NOTICE
This communication, including any attachments, may contain confidential information and is intended only for the 
individual or entity to which it is addressed. Any review, dissemination, or copying of this communication by anyone 
other than the intended recipient is strictly prohibited. If you are not the intended recipient, please contact the 
sender by reply e-mail, delete and destroy all copies of the original message.



**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fwww.educause.edu%2fcommunity&c=E,1,GjxHaovsgcDbCMoMQsWpikNrWYW9cwN2sVXzAVfumLswfjVKCuFexME-c-Be43RJs6LwojP0XcQpnBi7Y-jc3BVN9SylwVB3faURSXwTJuZ4&typo=1>

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

Current thread:

Re: [External] [SECURITY] Local Admin Access, (continued)
- Re: [External] [SECURITY] Local Admin Access Gregg, Christopher S. (Apr 07)
  - Re: [External] [SECURITY] Local Admin Access Andy Leffler (Apr 07)
  - Re: [External] [SECURITY] Local Admin Access Kevin Ledbetter (Apr 07)
    - Re: [External] [SECURITY] Local Admin Access John Ramsey (Apr 07)
  - Re: [External] [SECURITY] Local Admin Access Rich Graves (Apr 07)
- Re: Local Admin Access Madl, Michael (May 09)
- Re: Local Admin Access Clark Gaylord (May 09)
- Message not available
  - Re: Local Admin Access Clark Gaylord (May 14)
    - Re: Local Admin Access Lovaas,Steven (May 14)
    - Re: Local Admin Access Clark Gaylord (May 14)
- Re: Local Admin Access Steven Alexander (May 14)
  - Re: Local Admin Access Henry Wojteczko (May 16)