Solved

What are best practices of managing local administrator account in large company?

Posted on 2015-01-11
6
571 Views
Last Modified: 2015-01-12
Hey)

What are the best practices of managing local administrator account in large company with number of employees about 3000 in 1 office.

This is not very good, that 1 local administrator account have similar rights on all workstation. And the person that have local administrator password can connect to whatever workstation by admin share.

It's very easy for malicious user to collect administrator password. Just install keylogger and create some problem that require support personal to come to user's workstation and enter local administrator password. After this - the malicious user will have access to data in all workstations in company.

As I know if we disable local administrator account and the workstation will lost trust relationship with domain - I can just boot into safe mode and administrator account will be automatically enabled by Windows. Then I can create other temporary administrator account and boot normally.

But if there is no local administrator account on workstation I will be forced to use my domain account which also have access to all workstations and the password can be easily captured with keylogger. To overcome this I want to never enter my domain password on client workstation. So, when I go to resolve some problem on client workstation - I create local administrator account from remote MMC - Local users and groups before I go to client workstation. If workstation have no network access - I will go to it, reboot in safe mode and create temporary administrator account.

So the questions are:

1. Is it wise to disable administrator account on all client workstations?
2. Is it wise to create temporarily administrator account remotely from MMC when I go to troubleshoot some problem and if client workstation have no network - is it wise to boot in safe mode and create temporary local administrator account?
3. Are there any better ways of preventing malicious user to easily access all workstations in company?

Any links will be appreciated.

Thank you for your time and have a nice day)
0
Comment
Question by:TarasShumylo
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 
LVL 95

Expert Comment

by:John Hurst
ID: 40543053
Starting with Windows 7 (Vista also perhaps), the local administrator account is disabled and should remain disabled. It should not be enabled for any reason and UAC should remain ON.

No user should be a member of the administrators group. There would normally be no exception or very rare exception to this.

I see no issue with making an account with a name unique to you as the local administrator on the machine. Users would not have access.

Then you and people you designate could manage the machine locally.

Are there any better ways of preventing malicious user to easily access all workstations in company?

Normally very strong passwords with special characters will accommodate this.

Your business policies should spell out that attempts to gain access to computers may be met with disciplinary action up to and including dismissal.
0
 
LVL 12

Expert Comment

by:FarWest
ID: 40543064
add a single special domain account to local administrators group is good (you can use GPO to do so) with caution,
what you can do to disable actions from keylogger is to enable this account only when needed and disable it when ever you finished, with periodic password change or whenever you get suspicious.
also  smart card or fingerprint reader specially for this user access

1. Is it wise to disable administrator account on all client workstations?
yes, but some working scenarios may require administrator permission ( ex. software developer machine)

2. Is it wise to create temporarily administrator account remotely from MMC when I go to troubleshoot some problem and if client workstation have no network - is it wise to boot in safe mode and create temporary local administrator account?
you will not need that if you follow my suggestion, but you have to remember last cached password when machine is offline
3. Are there any better ways of preventing malicious user to easily access all workstations in company?
as Mr. Husrt said your company policies should be strict, also usually this will be done (malicious access) using remote desktop (since my it is not applicable to sit on someone else desk) so disable the account when it is not use is a good practice, and make it's logon time within company working hours will narrow this down.
0
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 40543102
You should be disabling and renaming the local admin password via GPO. As stated before you should be creating a unique local administrator account that differs from Workstations and Servers. Local Admin accounts should be different from workstations and severs so that say desktop support does not have the local admin passwords to the server infrastructure.

Will.
0
Secure Your WordPress Site: 5 Essential Approaches

WordPress is the web's most popular CMS, but its dominance also makes it a target for attackers. Our eBook will show you how to:

Prevent costly exploits of core and plugin vulnerabilities
Repel automated attacks
Lock down your dashboard, secure your code, and protect your users

 
LVL 55

Accepted Solution

by:
McKnife earned 500 total points
ID: 40543110
I haven't got the time right now and will answer thoroughly later on.
But two facts need to be set straight,. first:
-you cannot boot into safe mode and get Access to the admin account on Domain joined Computers. Domain joined Computers behave differently.
-keyloggers are stopped by UAC. If an admin is called to do admin work supporting a malicious user, the keylogger cannot record the keystrokes that are entered to a UAC prompt thanks to the secure Desktop technique.
0
 
LVL 55

Assisted Solution

by:McKnife
McKnife earned 500 total points
ID: 40543180
Back for more.

Scenario1: end user needs support in his session (problem with settings, no admin credentials needed)
->You should use remote assistance and act as the user

Scenario2: end user needs support with a problem that is not session-exclusive and will need admin credentials to overcome it
->You should use remote desktop so you get a separate session, keyloggers that were started as the user in his session don't work here.
->If you prefer to enter the credentials in the user's session, you would need to make sure they are entered on the secure desktop (UAC default). But this is risky as the user might Watch the keyboard very closely, so it's not recommended.

Scenario3: you are supporting a Workstation, where the user already is local admin for whatever reason
->I have described the scenario, the dangers and the countermeasures here: http://www.experts-exchange.com/Networking/Security/Q_28353295.html
0
 
LVL 3

Author Comment

by:TarasShumylo
ID: 40544031
I have no time to investigate this issue more, because it turn out to be very complex.

I accept the answer of McKnife as most informative on this problem. McKnife, thank you for big work done on this subject.
0

Featured Post

Free NetCrunch network monitor licenses!

Only on Experts-Exchange: Sign-up for a free-trial and we'll send you your permanent license!

Here is what you get: 30 Nodes | Unlimited Sensors | No Time Restrictions | Absolutely FREE!

Act now. This offer ends July 14, 2017.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article investigates the question of whether a computer can really be cleaned once it has been infected, and what the best ways of cleaning a computer might be (in this author's opinion).
In this blog we highlight approaches to managed security as a service.  We also look into ConnectWise’s value in aiding MSPs’ security management and indicate why critical alerting is a necessary integration.
Windows 8 came with a dramatically different user interface known as Metro. Notably missing from that interface was a Start button and Start Menu. Microsoft responded to negative user feedback of the Metro interface, bringing back the Start button a…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question