No Admin Password & Yubikey

Hello,

After reading through McNkife's article https://www.experts-exchange.com/articles/24599/Free-yourself-of-your-administrative-account.html I have some questions on how it relates to YubiKey.

I'm using Windows 10 Pro in a workgroup setting where I have only two accounts in Windows: a user account and an admin account (the default administrator account renamed per Microsoft recommended Best Practices). The user account has YubiKey assigned to it and I was about to do so for the admin account but I'm not sure about a couple of items I have included below:
  • Can the YubiKey work in a no password scenario?
  • If I assign the YubiKey to the admin account will that require the YubiKey for every elevation prompt?
  • Is having the YubiKey assigned to the admin account even bettering my security if I apply the article above to my machine - Are there any viable benefits?
  • If the settings annotated in the article above go wrong (get corrupted) is there a potential to be locked out of the admin account forever - what are the downsides (if any) to this idea expressed in the article
LVL 2
Peter WilsonITAsked:
Who is Participating?
 
Shaun VermaakTechnical Specialist/DeveloperCommented:
McKnife can answer these within the context of his article but here is my opinion

1) Can the YubiKey work in a no password scenario?
    Even if it could, I wouln't. You would lose 2FA. Yubikey is an open platform so it is possible that such a solution exists. I use it with LastPass and Devolutions. I use Duo for Windows logon

2) If I assign the YubiKey to the admin account will that require the YubiKey for every elevation prompt?
    No, it does not integrate with UAC. Also Yubikey only works as a key to whatever supported Yubi app is installed

3) Is having the YubiKey assigned to the admin account even bettering my security if I apply the article above to my machine - Are there any viable benefits?
    Only from a console/local perspective. Adds 2FA

4) If the settings annotated in the article above go wrong (get corrupted) is there a potential to be locked out of the admin account forever - what are the downsides (if any) to this idea expressed in the article
    With physical access you will never get locked out (assuming you are storing encryption backup keys)
2
 
Peter WilsonITAuthor Commented:
Thanks Shaun for your reply!

1) Can the YubiKey work in a no password scenario?
    Even if it could, I wouln't. You would lose 2FA. Yubikey is an open platform so it is possible that such a solution exists. I use it with LastPass and Devolutions.I use Duo for Windows logon
What I meant to say in context of the admin account having no password per McKnife's article is that can I and should I apply YubiKey to the admin account as well being that it has no password. Currently, I have YubiKey setup for my user account (which has a strong password) and it works great. My thought was to protect the admin account further attacks, but maybe as it is deactivated per the article that is as safe as it can get. Thoughts?

Another question is would you recommend per McKnife's article to just use the default admin account instead of creating a new one. If I rename the default admin account per Microsoft why would I need to essentially have two disabled admin accounts one triggered to go on/off per McKnife's article the other would just sit disabled. Wouldn't it make more sense to just rename the default admin account and use it for the on/off triggering mentioned in the article?
0
 
Peter WilsonITAuthor Commented:
I need more time...no one has answered my additional questions. Can more experts be called to participate?

How is does this affect lockout policy...I run my personal computer at 4 times permanent lockout in a non-domain environment.
0
Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!

 
Peter WilsonITAuthor Commented:
Shaun Vermaak, is there any way you can answer my remaining questions so I can close this question?
0
 
McKnifeCommented:
Peter, please click on "request attention" to call for more experts. Should be a button around your question.
0
 
Shaun VermaakTechnical Specialist/DeveloperCommented:
These questions are in context of McKnife article and he should elaborate. I do not follow that practice because I am too concerned about it being dependent on LimitBlankPasswordUse value but that is my opinion.
0
 
McKnifeCommented:
I don't combine yubikey with other factors - no experience, sorry, else I would have responded.
0
 
Peter WilsonITAuthor Commented:
Aside from yubikey then, how is a lockout policy used in your scenario? If I follow your article, what happens if the computer hits the lockout policy. Currently, this is for my personal computer so I'm not on a domain and I have setup a permanent lockout after 4 bad tries. What would you recommend in this scenario?

By the way, I have been using your idea for a while and I absolutely love it.
0
 
McKnifeCommented:
"if the computer hits the lockout policy" - now what should that mean? I guess you mean if your account gets locked, how would you access your machine? Well, in that case, take a bootdisk and activate the local administrator account from there: https://pogostick.net/~pnh/ntpasswd/bootdisk.html
0
 
Peter WilsonITAuthor Commented:
What about creating another Admin account with a very long password. Would that work or defeat the entire purpose of your article?
0
 
McKnifeCommented:
That would of course work and not defeat it, no. But what for? You can always enable the administrator account (that's an exercise anyone should know, by the way).
0
 
Peter WilsonITAuthor Commented:
I'm not familiar with that exercise so it sounds like I should learn it. Thanks for responding to my inquiries.
0
 
McKnifeCommented:
You are welcome, Peter.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.