Solved

What are best practices of managing local administrator account in large company?

Posted on 2015-01-11
6
449 Views
Last Modified: 2015-01-12
Hey)

What are the best practices of managing local administrator account in large company with number of employees about 3000 in 1 office.

This is not very good, that 1 local administrator account have similar rights on all workstation. And the person that have local administrator password can connect to whatever workstation by admin share.

It's very easy for malicious user to collect administrator password. Just install keylogger and create some problem that require support personal to come to user's workstation and enter local administrator password. After this - the malicious user will have access to data in all workstations in company.

As I know if we disable local administrator account and the workstation will lost trust relationship with domain - I can just boot into safe mode and administrator account will be automatically enabled by Windows. Then I can create other temporary administrator account and boot normally.

But if there is no local administrator account on workstation I will be forced to use my domain account which also have access to all workstations and the password can be easily captured with keylogger. To overcome this I want to never enter my domain password on client workstation. So, when I go to resolve some problem on client workstation - I create local administrator account from remote MMC - Local users and groups before I go to client workstation. If workstation have no network access - I will go to it, reboot in safe mode and create temporary administrator account.

So the questions are:

1. Is it wise to disable administrator account on all client workstations?
2. Is it wise to create temporarily administrator account remotely from MMC when I go to troubleshoot some problem and if client workstation have no network - is it wise to boot in safe mode and create temporary local administrator account?
3. Are there any better ways of preventing malicious user to easily access all workstations in company?

Any links will be appreciated.

Thank you for your time and have a nice day)
0
Comment
Question by:TarasShumylo
6 Comments
 
LVL 93

Expert Comment

by:John Hurst
ID: 40543053
Starting with Windows 7 (Vista also perhaps), the local administrator account is disabled and should remain disabled. It should not be enabled for any reason and UAC should remain ON.

No user should be a member of the administrators group. There would normally be no exception or very rare exception to this.

I see no issue with making an account with a name unique to you as the local administrator on the machine. Users would not have access.

Then you and people you designate could manage the machine locally.

Are there any better ways of preventing malicious user to easily access all workstations in company?

Normally very strong passwords with special characters will accommodate this.

Your business policies should spell out that attempts to gain access to computers may be met with disciplinary action up to and including dismissal.
0
 
LVL 12

Expert Comment

by:FarWest
ID: 40543064
add a single special domain account to local administrators group is good (you can use GPO to do so) with caution,
what you can do to disable actions from keylogger is to enable this account only when needed and disable it when ever you finished, with periodic password change or whenever you get suspicious.
also  smart card or fingerprint reader specially for this user access

1. Is it wise to disable administrator account on all client workstations?
yes, but some working scenarios may require administrator permission ( ex. software developer machine)

2. Is it wise to create temporarily administrator account remotely from MMC when I go to troubleshoot some problem and if client workstation have no network - is it wise to boot in safe mode and create temporary local administrator account?
you will not need that if you follow my suggestion, but you have to remember last cached password when machine is offline
3. Are there any better ways of preventing malicious user to easily access all workstations in company?
as Mr. Husrt said your company policies should be strict, also usually this will be done (malicious access) using remote desktop (since my it is not applicable to sit on someone else desk) so disable the account when it is not use is a good practice, and make it's logon time within company working hours will narrow this down.
0
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 40543102
You should be disabling and renaming the local admin password via GPO. As stated before you should be creating a unique local administrator account that differs from Workstations and Servers. Local Admin accounts should be different from workstations and severs so that say desktop support does not have the local admin passwords to the server infrastructure.

Will.
0
VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

 
LVL 54

Accepted Solution

by:
McKnife earned 500 total points
ID: 40543110
I haven't got the time right now and will answer thoroughly later on.
But two facts need to be set straight,. first:
-you cannot boot into safe mode and get Access to the admin account on Domain joined Computers. Domain joined Computers behave differently.
-keyloggers are stopped by UAC. If an admin is called to do admin work supporting a malicious user, the keylogger cannot record the keystrokes that are entered to a UAC prompt thanks to the secure Desktop technique.
0
 
LVL 54

Assisted Solution

by:McKnife
McKnife earned 500 total points
ID: 40543180
Back for more.

Scenario1: end user needs support in his session (problem with settings, no admin credentials needed)
->You should use remote assistance and act as the user

Scenario2: end user needs support with a problem that is not session-exclusive and will need admin credentials to overcome it
->You should use remote desktop so you get a separate session, keyloggers that were started as the user in his session don't work here.
->If you prefer to enter the credentials in the user's session, you would need to make sure they are entered on the secure desktop (UAC default). But this is risky as the user might Watch the keyboard very closely, so it's not recommended.

Scenario3: you are supporting a Workstation, where the user already is local admin for whatever reason
->I have described the scenario, the dangers and the countermeasures here: http://www.experts-exchange.com/Networking/Security/Q_28353295.html
0
 
LVL 3

Author Comment

by:TarasShumylo
ID: 40544031
I have no time to investigate this issue more, because it turn out to be very complex.

I accept the answer of McKnife as most informative on this problem. McKnife, thank you for big work done on this subject.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

If you thought ransomware was bad, think again! Doxware has the potential to be even more damaging.
An article on effective troubleshooting
In this video, we discuss why the need for additional vertical screen space has become more important in recent years, namely, due to the transition in the marketplace of 4x3 computer screens to 16x9 and 16x10 screens (so-called widescreen format). …
The viewer will learn how to successfully create a multiboot device using the SARDU utility on Windows 7. Start the SARDU utility: Change the image directory to wherever you store your ISOs, this will prevent you from having 2 copies of an ISO wit…

825 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question