No Admin Password & Yubikey

Hello,

After reading through McNkife's article https://www.experts-exchange.com/articles/24599/Free-yourself-of-your-administrative-account.html I have some questions on how it relates to YubiKey.

I'm using Windows 10 Pro in a workgroup setting where I have only two accounts in Windows: a user account and an admin account (the default administrator account renamed per Microsoft recommended Best Practices). The user account has YubiKey assigned to it and I was about to do so for the admin account but I'm not sure about a couple of items I have included below:
  • Can the YubiKey work in a no password scenario?
  • If I assign the YubiKey to the admin account will that require the YubiKey for every elevation prompt?
  • Is having the YubiKey assigned to the admin account even bettering my security if I apply the article above to my machine - Are there any viable benefits?
  • If the settings annotated in the article above go wrong (get corrupted) is there a potential to be locked out of the admin account forever - what are the downsides (if any) to this idea expressed in the article
LVL 2
Peter WilsonITAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Shaun VermaakTechnical SpecialistCommented:
McKnife can answer these within the context of his article but here is my opinion

1) Can the YubiKey work in a no password scenario?
    Even if it could, I wouln't. You would lose 2FA. Yubikey is an open platform so it is possible that such a solution exists. I use it with LastPass and Devolutions. I use Duo for Windows logon

2) If I assign the YubiKey to the admin account will that require the YubiKey for every elevation prompt?
    No, it does not integrate with UAC. Also Yubikey only works as a key to whatever supported Yubi app is installed

3) Is having the YubiKey assigned to the admin account even bettering my security if I apply the article above to my machine - Are there any viable benefits?
    Only from a console/local perspective. Adds 2FA

4) If the settings annotated in the article above go wrong (get corrupted) is there a potential to be locked out of the admin account forever - what are the downsides (if any) to this idea expressed in the article
    With physical access you will never get locked out (assuming you are storing encryption backup keys)
2

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Peter WilsonITAuthor Commented:
Thanks Shaun for your reply!

1) Can the YubiKey work in a no password scenario?
    Even if it could, I wouln't. You would lose 2FA. Yubikey is an open platform so it is possible that such a solution exists. I use it with LastPass and Devolutions.I use Duo for Windows logon
What I meant to say in context of the admin account having no password per McKnife's article is that can I and should I apply YubiKey to the admin account as well being that it has no password. Currently, I have YubiKey setup for my user account (which has a strong password) and it works great. My thought was to protect the admin account further attacks, but maybe as it is deactivated per the article that is as safe as it can get. Thoughts?

Another question is would you recommend per McKnife's article to just use the default admin account instead of creating a new one. If I rename the default admin account per Microsoft why would I need to essentially have two disabled admin accounts one triggered to go on/off per McKnife's article the other would just sit disabled. Wouldn't it make more sense to just rename the default admin account and use it for the on/off triggering mentioned in the article?
0
Peter WilsonITAuthor Commented:
I need more time...no one has answered my additional questions. Can more experts be called to participate?

How is does this affect lockout policy...I run my personal computer at 4 times permanent lockout in a non-domain environment.
0
Make Network Traffic Fast and Furious with SD-WAN

Software-defined WAN (SD-WAN) is a technology that determines the most effective way to route traffic to and from datacenter sites. Register for the webinar today to learn how your business can benefit from SD-WAN!

Peter WilsonITAuthor Commented:
Shaun Vermaak, is there any way you can answer my remaining questions so I can close this question?
0
McKnifeCommented:
Peter, please click on "request attention" to call for more experts. Should be a button around your question.
0
Shaun VermaakTechnical SpecialistCommented:
These questions are in context of McKnife article and he should elaborate. I do not follow that practice because I am too concerned about it being dependent on LimitBlankPasswordUse value but that is my opinion.
0
McKnifeCommented:
I don't combine yubikey with other factors - no experience, sorry, else I would have responded.
0
Peter WilsonITAuthor Commented:
Aside from yubikey then, how is a lockout policy used in your scenario? If I follow your article, what happens if the computer hits the lockout policy. Currently, this is for my personal computer so I'm not on a domain and I have setup a permanent lockout after 4 bad tries. What would you recommend in this scenario?

By the way, I have been using your idea for a while and I absolutely love it.
0
McKnifeCommented:
"if the computer hits the lockout policy" - now what should that mean? I guess you mean if your account gets locked, how would you access your machine? Well, in that case, take a bootdisk and activate the local administrator account from there: https://pogostick.net/~pnh/ntpasswd/bootdisk.html
0
Peter WilsonITAuthor Commented:
What about creating another Admin account with a very long password. Would that work or defeat the entire purpose of your article?
0
McKnifeCommented:
That would of course work and not defeat it, no. But what for? You can always enable the administrator account (that's an exercise anyone should know, by the way).
0
Peter WilsonITAuthor Commented:
I'm not familiar with that exercise so it sounds like I should learn it. Thanks for responding to my inquiries.
0
McKnifeCommented:
You are welcome, Peter.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
IT Administration

From novice to tech pro — start learning today.