?
Solved

What are best practices of managing local administrator account in large company?

Posted on 2015-01-11
6
Medium Priority
?
1,192 Views
Last Modified: 2015-01-12
Hey)

What are the best practices of managing local administrator account in large company with number of employees about 3000 in 1 office.

This is not very good, that 1 local administrator account have similar rights on all workstation. And the person that have local administrator password can connect to whatever workstation by admin share.

It's very easy for malicious user to collect administrator password. Just install keylogger and create some problem that require support personal to come to user's workstation and enter local administrator password. After this - the malicious user will have access to data in all workstations in company.

As I know if we disable local administrator account and the workstation will lost trust relationship with domain - I can just boot into safe mode and administrator account will be automatically enabled by Windows. Then I can create other temporary administrator account and boot normally.

But if there is no local administrator account on workstation I will be forced to use my domain account which also have access to all workstations and the password can be easily captured with keylogger. To overcome this I want to never enter my domain password on client workstation. So, when I go to resolve some problem on client workstation - I create local administrator account from remote MMC - Local users and groups before I go to client workstation. If workstation have no network access - I will go to it, reboot in safe mode and create temporary administrator account.

So the questions are:

1. Is it wise to disable administrator account on all client workstations?
2. Is it wise to create temporarily administrator account remotely from MMC when I go to troubleshoot some problem and if client workstation have no network - is it wise to boot in safe mode and create temporary local administrator account?
3. Are there any better ways of preventing malicious user to easily access all workstations in company?

Any links will be appreciated.

Thank you for your time and have a nice day)
0
Comment
Question by:TarasShumylo
6 Comments
 
LVL 102

Expert Comment

by:John
ID: 40543053
Starting with Windows 7 (Vista also perhaps), the local administrator account is disabled and should remain disabled. It should not be enabled for any reason and UAC should remain ON.

No user should be a member of the administrators group. There would normally be no exception or very rare exception to this.

I see no issue with making an account with a name unique to you as the local administrator on the machine. Users would not have access.

Then you and people you designate could manage the machine locally.

Are there any better ways of preventing malicious user to easily access all workstations in company?

Normally very strong passwords with special characters will accommodate this.

Your business policies should spell out that attempts to gain access to computers may be met with disciplinary action up to and including dismissal.
0
 
LVL 12

Expert Comment

by:FarWest
ID: 40543064
add a single special domain account to local administrators group is good (you can use GPO to do so) with caution,
what you can do to disable actions from keylogger is to enable this account only when needed and disable it when ever you finished, with periodic password change or whenever you get suspicious.
also  smart card or fingerprint reader specially for this user access

1. Is it wise to disable administrator account on all client workstations?
yes, but some working scenarios may require administrator permission ( ex. software developer machine)

2. Is it wise to create temporarily administrator account remotely from MMC when I go to troubleshoot some problem and if client workstation have no network - is it wise to boot in safe mode and create temporary local administrator account?
you will not need that if you follow my suggestion, but you have to remember last cached password when machine is offline
3. Are there any better ways of preventing malicious user to easily access all workstations in company?
as Mr. Husrt said your company policies should be strict, also usually this will be done (malicious access) using remote desktop (since my it is not applicable to sit on someone else desk) so disable the account when it is not use is a good practice, and make it's logon time within company working hours will narrow this down.
0
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 40543102
You should be disabling and renaming the local admin password via GPO. As stated before you should be creating a unique local administrator account that differs from Workstations and Servers. Local Admin accounts should be different from workstations and severs so that say desktop support does not have the local admin passwords to the server infrastructure.

Will.
0
NEW Internet Security Report Now Available!

WatchGuard’s Threat Lab is a group of dedicated threat researchers committed to helping you stay ahead of the bad guys by providing in-depth analysis of the top security threats to your network.  Check out this quarters report on the threats that shook the industry in Q4 2017.

 
LVL 59

Accepted Solution

by:
McKnife earned 2000 total points
ID: 40543110
I haven't got the time right now and will answer thoroughly later on.
But two facts need to be set straight,. first:
-you cannot boot into safe mode and get Access to the admin account on Domain joined Computers. Domain joined Computers behave differently.
-keyloggers are stopped by UAC. If an admin is called to do admin work supporting a malicious user, the keylogger cannot record the keystrokes that are entered to a UAC prompt thanks to the secure Desktop technique.
0
 
LVL 59

Assisted Solution

by:McKnife
McKnife earned 2000 total points
ID: 40543180
Back for more.

Scenario1: end user needs support in his session (problem with settings, no admin credentials needed)
->You should use remote assistance and act as the user

Scenario2: end user needs support with a problem that is not session-exclusive and will need admin credentials to overcome it
->You should use remote desktop so you get a separate session, keyloggers that were started as the user in his session don't work here.
->If you prefer to enter the credentials in the user's session, you would need to make sure they are entered on the secure desktop (UAC default). But this is risky as the user might Watch the keyboard very closely, so it's not recommended.

Scenario3: you are supporting a Workstation, where the user already is local admin for whatever reason
->I have described the scenario, the dangers and the countermeasures here: http://www.experts-exchange.com/Networking/Security/Q_28353295.html
0
 
LVL 3

Author Comment

by:TarasShumylo
ID: 40544031
I have no time to investigate this issue more, because it turn out to be very complex.

I accept the answer of McKnife as most informative on this problem. McKnife, thank you for big work done on this subject.
0

Featured Post

Managing Security Policy in a Changing Environment

The enterprise network environment is evolving rapidly as companies extend their physical data centers to embrace cloud computing and software-defined networking. This new reality means that the challenge of managing the security policy is much more dynamic and complex.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

This tutorial is about creating a new Microsoft Online User Profile account along with how to transfer your files and settings. You may be faced with this situation if your existing user profile has become corrupted.
Seizing the Operation Master Roles in Windows Server 2016 in case of FSMO holder failure.
This is used to tweak the memory usage for your computer, it is used for servers more so than workstations but just be careful editing registry settings as it may cause irreversible results. I hold no responsibility for anything you do to the regist…
Finding and deleting duplicate (picture) files can be a time consuming task. My wife and I, our three kids and their families all share one dilemma: Managing our pictures. Between desktops, laptops, phones, tablets, and cameras; over the last decade…

569 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question