[Last Call] Learn about multicloud storage options and how to improve your company's cloud strategy. Register Now

x
?
Solved

What are best practices of managing local administrator account in large company?

Posted on 2015-01-11
6
Medium Priority
?
839 Views
Last Modified: 2015-01-12
Hey)

What are the best practices of managing local administrator account in large company with number of employees about 3000 in 1 office.

This is not very good, that 1 local administrator account have similar rights on all workstation. And the person that have local administrator password can connect to whatever workstation by admin share.

It's very easy for malicious user to collect administrator password. Just install keylogger and create some problem that require support personal to come to user's workstation and enter local administrator password. After this - the malicious user will have access to data in all workstations in company.

As I know if we disable local administrator account and the workstation will lost trust relationship with domain - I can just boot into safe mode and administrator account will be automatically enabled by Windows. Then I can create other temporary administrator account and boot normally.

But if there is no local administrator account on workstation I will be forced to use my domain account which also have access to all workstations and the password can be easily captured with keylogger. To overcome this I want to never enter my domain password on client workstation. So, when I go to resolve some problem on client workstation - I create local administrator account from remote MMC - Local users and groups before I go to client workstation. If workstation have no network access - I will go to it, reboot in safe mode and create temporary administrator account.

So the questions are:

1. Is it wise to disable administrator account on all client workstations?
2. Is it wise to create temporarily administrator account remotely from MMC when I go to troubleshoot some problem and if client workstation have no network - is it wise to boot in safe mode and create temporary local administrator account?
3. Are there any better ways of preventing malicious user to easily access all workstations in company?

Any links will be appreciated.

Thank you for your time and have a nice day)
0
Comment
Question by:TarasShumylo
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 
LVL 98

Expert Comment

by:John Hurst
ID: 40543053
Starting with Windows 7 (Vista also perhaps), the local administrator account is disabled and should remain disabled. It should not be enabled for any reason and UAC should remain ON.

No user should be a member of the administrators group. There would normally be no exception or very rare exception to this.

I see no issue with making an account with a name unique to you as the local administrator on the machine. Users would not have access.

Then you and people you designate could manage the machine locally.

Are there any better ways of preventing malicious user to easily access all workstations in company?

Normally very strong passwords with special characters will accommodate this.

Your business policies should spell out that attempts to gain access to computers may be met with disciplinary action up to and including dismissal.
0
 
LVL 12

Expert Comment

by:FarWest
ID: 40543064
add a single special domain account to local administrators group is good (you can use GPO to do so) with caution,
what you can do to disable actions from keylogger is to enable this account only when needed and disable it when ever you finished, with periodic password change or whenever you get suspicious.
also  smart card or fingerprint reader specially for this user access

1. Is it wise to disable administrator account on all client workstations?
yes, but some working scenarios may require administrator permission ( ex. software developer machine)

2. Is it wise to create temporarily administrator account remotely from MMC when I go to troubleshoot some problem and if client workstation have no network - is it wise to boot in safe mode and create temporary local administrator account?
you will not need that if you follow my suggestion, but you have to remember last cached password when machine is offline
3. Are there any better ways of preventing malicious user to easily access all workstations in company?
as Mr. Husrt said your company policies should be strict, also usually this will be done (malicious access) using remote desktop (since my it is not applicable to sit on someone else desk) so disable the account when it is not use is a good practice, and make it's logon time within company working hours will narrow this down.
0
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 40543102
You should be disabling and renaming the local admin password via GPO. As stated before you should be creating a unique local administrator account that differs from Workstations and Servers. Local Admin accounts should be different from workstations and severs so that say desktop support does not have the local admin passwords to the server infrastructure.

Will.
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
LVL 56

Accepted Solution

by:
McKnife earned 2000 total points
ID: 40543110
I haven't got the time right now and will answer thoroughly later on.
But two facts need to be set straight,. first:
-you cannot boot into safe mode and get Access to the admin account on Domain joined Computers. Domain joined Computers behave differently.
-keyloggers are stopped by UAC. If an admin is called to do admin work supporting a malicious user, the keylogger cannot record the keystrokes that are entered to a UAC prompt thanks to the secure Desktop technique.
0
 
LVL 56

Assisted Solution

by:McKnife
McKnife earned 2000 total points
ID: 40543180
Back for more.

Scenario1: end user needs support in his session (problem with settings, no admin credentials needed)
->You should use remote assistance and act as the user

Scenario2: end user needs support with a problem that is not session-exclusive and will need admin credentials to overcome it
->You should use remote desktop so you get a separate session, keyloggers that were started as the user in his session don't work here.
->If you prefer to enter the credentials in the user's session, you would need to make sure they are entered on the secure desktop (UAC default). But this is risky as the user might Watch the keyboard very closely, so it's not recommended.

Scenario3: you are supporting a Workstation, where the user already is local admin for whatever reason
->I have described the scenario, the dangers and the countermeasures here: http://www.experts-exchange.com/Networking/Security/Q_28353295.html
0
 
LVL 3

Author Comment

by:TarasShumylo
ID: 40544031
I have no time to investigate this issue more, because it turn out to be very complex.

I accept the answer of McKnife as most informative on this problem. McKnife, thank you for big work done on this subject.
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this blog we highlight approaches to managed security as a service.  We also look into ConnectWise’s value in aiding MSPs’ security management and indicate why critical alerting is a necessary integration.
In this article, WatchGuard's Director of Security Strategy and Research Teri Radichel, takes a look at insider threats, the risk they can pose to your organization, and the best ways to defend against them.
The viewer will learn how to successfully create a multiboot device using the SARDU utility on Windows 7. Start the SARDU utility: Change the image directory to wherever you store your ISOs, this will prevent you from having 2 copies of an ISO wit…
In this video, viewers are given an introduction to using the Windows 10 Snipping Tool, how to quickly locate it when it's needed and also how make it always available with a single click of a mouse button, by pinning it to the Desktop Task Bar. Int…

650 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question