Link to home
Start Free TrialLog in
Avatar of Peter Wilson
Peter WilsonFlag for France

asked on

No Admin Password & Yubikey

Hello,

After reading through McNkife's article https://www.experts-exchange.com/articles/24599/Free-yourself-of-your-administrative-account.html I have some questions on how it relates to YubiKey.

I'm using Windows 10 Pro in a workgroup setting where I have only two accounts in Windows: a user account and an admin account (the default administrator account renamed per Microsoft recommended Best Practices). The user account has YubiKey assigned to it and I was about to do so for the admin account but I'm not sure about a couple of items I have included below:
  • Can the YubiKey work in a no password scenario?
  • If I assign the YubiKey to the admin account will that require the YubiKey for every elevation prompt?
  • Is having the YubiKey assigned to the admin account even bettering my security if I apply the article above to my machine - Are there any viable benefits?
  • If the settings annotated in the article above go wrong (get corrupted) is there a potential to be locked out of the admin account forever - what are the downsides (if any) to this idea expressed in the article
ASKER CERTIFIED SOLUTION
Avatar of Shaun Vermaak
Shaun Vermaak
Flag of Australia image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Peter Wilson

ASKER

Thanks Shaun for your reply!

1) Can the YubiKey work in a no password scenario?
    Even if it could, I wouln't. You would lose 2FA. Yubikey is an open platform so it is possible that such a solution exists. I use it with LastPass and Devolutions.I use Duo for Windows logon
What I meant to say in context of the admin account having no password per McKnife's article is that can I and should I apply YubiKey to the admin account as well being that it has no password. Currently, I have YubiKey setup for my user account (which has a strong password) and it works great. My thought was to protect the admin account further attacks, but maybe as it is deactivated per the article that is as safe as it can get. Thoughts?

Another question is would you recommend per McKnife's article to just use the default admin account instead of creating a new one. If I rename the default admin account per Microsoft why would I need to essentially have two disabled admin accounts one triggered to go on/off per McKnife's article the other would just sit disabled. Wouldn't it make more sense to just rename the default admin account and use it for the on/off triggering mentioned in the article?
I need more time...no one has answered my additional questions. Can more experts be called to participate?

How is does this affect lockout policy...I run my personal computer at 4 times permanent lockout in a non-domain environment.
Shaun Vermaak, is there any way you can answer my remaining questions so I can close this question?
Peter, please click on "request attention" to call for more experts. Should be a button around your question.
These questions are in context of McKnife article and he should elaborate. I do not follow that practice because I am too concerned about it being dependent on LimitBlankPasswordUse value but that is my opinion.
I don't combine yubikey with other factors - no experience, sorry, else I would have responded.
Aside from yubikey then, how is a lockout policy used in your scenario? If I follow your article, what happens if the computer hits the lockout policy. Currently, this is for my personal computer so I'm not on a domain and I have setup a permanent lockout after 4 bad tries. What would you recommend in this scenario?

By the way, I have been using your idea for a while and I absolutely love it.
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
What about creating another Admin account with a very long password. Would that work or defeat the entire purpose of your article?
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
I'm not familiar with that exercise so it sounds like I should learn it. Thanks for responding to my inquiries.
You are welcome, Peter.