Solved

What are best practices of managing local administrator account in large company?

Posted on 2015-01-11
6
419 Views
Last Modified: 2015-01-12
Hey)

What are the best practices of managing local administrator account in large company with number of employees about 3000 in 1 office.

This is not very good, that 1 local administrator account have similar rights on all workstation. And the person that have local administrator password can connect to whatever workstation by admin share.

It's very easy for malicious user to collect administrator password. Just install keylogger and create some problem that require support personal to come to user's workstation and enter local administrator password. After this - the malicious user will have access to data in all workstations in company.

As I know if we disable local administrator account and the workstation will lost trust relationship with domain - I can just boot into safe mode and administrator account will be automatically enabled by Windows. Then I can create other temporary administrator account and boot normally.

But if there is no local administrator account on workstation I will be forced to use my domain account which also have access to all workstations and the password can be easily captured with keylogger. To overcome this I want to never enter my domain password on client workstation. So, when I go to resolve some problem on client workstation - I create local administrator account from remote MMC - Local users and groups before I go to client workstation. If workstation have no network access - I will go to it, reboot in safe mode and create temporary administrator account.

So the questions are:

1. Is it wise to disable administrator account on all client workstations?
2. Is it wise to create temporarily administrator account remotely from MMC when I go to troubleshoot some problem and if client workstation have no network - is it wise to boot in safe mode and create temporary local administrator account?
3. Are there any better ways of preventing malicious user to easily access all workstations in company?

Any links will be appreciated.

Thank you for your time and have a nice day)
0
Comment
Question by:TarasShumylo
6 Comments
 
LVL 92

Expert Comment

by:John Hurst
ID: 40543053
Starting with Windows 7 (Vista also perhaps), the local administrator account is disabled and should remain disabled. It should not be enabled for any reason and UAC should remain ON.

No user should be a member of the administrators group. There would normally be no exception or very rare exception to this.

I see no issue with making an account with a name unique to you as the local administrator on the machine. Users would not have access.

Then you and people you designate could manage the machine locally.

Are there any better ways of preventing malicious user to easily access all workstations in company?

Normally very strong passwords with special characters will accommodate this.

Your business policies should spell out that attempts to gain access to computers may be met with disciplinary action up to and including dismissal.
0
 
LVL 12

Expert Comment

by:FarWest
ID: 40543064
add a single special domain account to local administrators group is good (you can use GPO to do so) with caution,
what you can do to disable actions from keylogger is to enable this account only when needed and disable it when ever you finished, with periodic password change or whenever you get suspicious.
also  smart card or fingerprint reader specially for this user access

1. Is it wise to disable administrator account on all client workstations?
yes, but some working scenarios may require administrator permission ( ex. software developer machine)

2. Is it wise to create temporarily administrator account remotely from MMC when I go to troubleshoot some problem and if client workstation have no network - is it wise to boot in safe mode and create temporary local administrator account?
you will not need that if you follow my suggestion, but you have to remember last cached password when machine is offline
3. Are there any better ways of preventing malicious user to easily access all workstations in company?
as Mr. Husrt said your company policies should be strict, also usually this will be done (malicious access) using remote desktop (since my it is not applicable to sit on someone else desk) so disable the account when it is not use is a good practice, and make it's logon time within company working hours will narrow this down.
0
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 40543102
You should be disabling and renaming the local admin password via GPO. As stated before you should be creating a unique local administrator account that differs from Workstations and Servers. Local Admin accounts should be different from workstations and severs so that say desktop support does not have the local admin passwords to the server infrastructure.

Will.
0
Make managing Office 365 email signatures a breeze

Are you using Office 365? Having trouble trying to set up email signatures for your users? Getting stressed out managing multiple signatures? Need an easier way to manage? We have a solution for you, try the most-user friendly and powerful signature management tool on the market.

 
LVL 53

Accepted Solution

by:
McKnife earned 500 total points
ID: 40543110
I haven't got the time right now and will answer thoroughly later on.
But two facts need to be set straight,. first:
-you cannot boot into safe mode and get Access to the admin account on Domain joined Computers. Domain joined Computers behave differently.
-keyloggers are stopped by UAC. If an admin is called to do admin work supporting a malicious user, the keylogger cannot record the keystrokes that are entered to a UAC prompt thanks to the secure Desktop technique.
0
 
LVL 53

Assisted Solution

by:McKnife
McKnife earned 500 total points
ID: 40543180
Back for more.

Scenario1: end user needs support in his session (problem with settings, no admin credentials needed)
->You should use remote assistance and act as the user

Scenario2: end user needs support with a problem that is not session-exclusive and will need admin credentials to overcome it
->You should use remote desktop so you get a separate session, keyloggers that were started as the user in his session don't work here.
->If you prefer to enter the credentials in the user's session, you would need to make sure they are entered on the secure desktop (UAC default). But this is risky as the user might Watch the keyboard very closely, so it's not recommended.

Scenario3: you are supporting a Workstation, where the user already is local admin for whatever reason
->I have described the scenario, the dangers and the countermeasures here: http://www.experts-exchange.com/Networking/Security/Q_28353295.html
0
 
LVL 3

Author Comment

by:TarasShumylo
ID: 40544031
I have no time to investigate this issue more, because it turn out to be very complex.

I accept the answer of McKnife as most informative on this problem. McKnife, thank you for big work done on this subject.
0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This paper addresses the security of Sennheiser DECT Contact Center and Office (CC&O) headsets. It describes the DECT security chain comprised of “Pairing”, “Per Call Authentication” and “Encryption”, which are all part of the standard DECT protocol.
In this article, I will show you HOW TO: Perform a Physical to Virtual (P2V) Conversion the easy way from a computer backup (image).
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
The Task Scheduler is a powerful tool that is built into Windows. It allows you to schedule tasks (actions) on a recurring basis, such as hourly, daily, weekly, monthly, at log on, at startup, on idle, etc. This video Micro Tutorial is a brief intro…

920 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now