Removing Local Administrator Account

[Rob Thompson <my.security.lists () gmail com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Dear List,

I have cross posted this question to another security list that I belong
to, but I wanted to send this here as well, as I am specifically
interested in your responses.  I know you are all on this list and I can
find you all here, which is why I am sending it...well, here.

I know that this is off topic and this is not any kind of "Fun
Security", but I highly respect each of your opinions.  I know I do not
make many comments on this list, but I have watched it for over a year
and I do pay attention to your responses.  In my opinion you guys are
all the best of breed in what you do...

- ---

I am asking this as I will be presenting this to a company, as they have
proposed this idea and I want to show them exactly what they are
considering getting themselves into.

What is your professional opinion on removing the local administrator
account?

Does this pose a security risk to have a local administrator account on
a computer, so that IT staff (which are the only people in the
organization that are entitled to this user/pass) can do work on a
computer in a way that can not be "securely" audited?  What I mean by
this is, they all use this one account (for emergencies only), instead
of using their own credentials over the network - thereby showing the
local admin account was used, but not who used it.

What are the risks involved in removing this account?

Is this a general best practice, from a security point of view?

If not, what is the best practice from a security point of view?

Lastly, do you believe or not, that if the IT staff wanted to compromise
a box, anonymously, would they really need this local administrator
account on the box?  Or would they still be able to do this, without the
account there?  Why?

I sincerely appreciate your time and thank you in advance for any
answers that you may pose.  Also, if you see something that I did not
consider in my questions, please feel free to include that as well.

Please remember, if you think that this is a wise decision or not,
PLEASE state your answers and why.

- --
Rob

+-=-=-=-=-=-=-=-=-=-=-=-=-=-=-+
|                         _   |
|  ASCII ribbon campaign ( )  |
|   - against HTML email  X   |
|                        / \  |
|                             |
+-=-=-=-=-=-=-=-=-=-=-=-=-=-=-+
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (MingW32)

iEYEARECAAYFAkeKZhAACgkQcfN68iZZIcd6tgCdH/esec+OQ+LKIlb+cDYnkel3
z6EAoLdbxU2lL1yC8G/GoSq3gEZSi7tT
=y46m
-----END PGP SIGNATURE-----
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.