Re: Removing Local Administrator Account

[Rob Thompson <my.security.lists () gmail com>]

I wanted to thank every one that responded to the e-mail that I sent out
previously (below).  I had intended on writing back my 2 cents on the
whole thing and acknowledge receipt of the responses, a while ago.  I
got wrapped up and haven't really been able to get to too much else...
I didn't mean to be rude.

Anywho - I think that it is a bad idea to remove the Local Admin acct.
With the account gone, the only thing you are really doing is inhibiting
the functionality of your IT department.

If someone is going to do something malicious to the machine, they are
going to do it whether that account is there or not.

Again, thank you very much to every one that responded.  I really do
appreciate your time.

> Dear List,
>
> I have cross posted this question to another security list that I belong
> to, but I wanted to send this here as well, as I am specifically
> interested in your responses.  I know you are all on this list and I can
> find you all here, which is why I am sending it...well, here.
>
> I know that this is off topic and this is not any kind of "Fun
> Security", but I highly respect each of your opinions.  I know I do not
> make many comments on this list, but I have watched it for over a year
> and I do pay attention to your responses.  In my opinion you guys are
> all the best of breed in what you do...
>
> ---
>
> I am asking this as I will be presenting this to a company, as they have
> proposed this idea and I want to show them exactly what they are
> considering getting themselves into.
>
> What is your professional opinion on removing the local administrator
> account?
>
> Does this pose a security risk to have a local administrator account on
> a computer, so that IT staff (which are the only people in the
> organization that are entitled to this user/pass) can do work on a
> computer in a way that can not be "securely" audited?  What I mean by
> this is, they all use this one account (for emergencies only), instead
> of using their own credentials over the network - thereby showing the
> local admin account was used, but not who used it.
>
> What are the risks involved in removing this account?
>
> Is this a general best practice, from a security point of view?
>
> If not, what is the best practice from a security point of view?
>
> Lastly, do you believe or not, that if the IT staff wanted to compromise
> a box, anonymously, would they really need this local administrator
> account on the box?  Or would they still be able to do this, without the
> account there?  Why?
>
> I sincerely appreciate your time and thank you in advance for any
> answers that you may pose.  Also, if you see something that I did not
> consider in my questions, please feel free to include that as well.
>
> Please remember, if you think that this is a wise decision or not,
> PLEASE state your answers and why.

-- 
Rob

+-=-=-=-=-=-=-=-=-=-=-=-=-=-=-+
|                         _   |
|  ASCII ribbon campaign ( )  |
|   - against HTML email  X   |
|                        / \  |
|                             |
+-=-=-=-=-=-=-=-=-=-=-=-=-=-=-+
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.