sunhux
asked on
Is disabling local Windows PC's administrator a bad or good practice ?
We had an internal debate on fulfilling auditor's requirement for a batch of critical PCs
(that are used for critical processing) : audit requires that login activities to the built-in local
administrator (which we had renamed) need to be reviewed regularly by another team
(it's used by End User support team on rare occasions only when a PC lost network
connectivity to central management tool like SCCM) :
as security person, I find it unsustainable to regularly review each time the local admin
is used to login & Audit agrees that if we disables it, then review is not needed.
Somehow, there's a way to tweak it (by replacing a binary with cmd.exe) to boot up the
PC in Safe mode so that we can get to command prompt to re-enable it back for recovery
only (I deem just simply for recovery of a 'disconnected PC' don't need review).
There's debates raised internally:
a) is disabling local admin a more secure practice than reviewing the activities (which I
felt no organizations have the resource to have a compliance person to follow
when login to the local admin is used). Which of the two is more practical?
b) another proposal is to install these critical PCs with SPlunk agents to pipe its
events to Splunk so the events of using local admins is sort of 'monitored' by
SIEM
c) Is disabling local admin considered a bad / unsustainable practice? Any articles
to support disabling or against it is appreciated
(that are used for critical processing) : audit requires that login activities to the built-in local
administrator (which we had renamed) need to be reviewed regularly by another team
(it's used by End User support team on rare occasions only when a PC lost network
connectivity to central management tool like SCCM) :
as security person, I find it unsustainable to regularly review each time the local admin
is used to login & Audit agrees that if we disables it, then review is not needed.
Somehow, there's a way to tweak it (by replacing a binary with cmd.exe) to boot up the
PC in Safe mode so that we can get to command prompt to re-enable it back for recovery
only (I deem just simply for recovery of a 'disconnected PC' don't need review).
There's debates raised internally:
a) is disabling local admin a more secure practice than reviewing the activities (which I
felt no organizations have the resource to have a compliance person to follow
when login to the local admin is used). Which of the two is more practical?
b) another proposal is to install these critical PCs with SPlunk agents to pipe its
events to Splunk so the events of using local admins is sort of 'monitored' by
SIEM
c) Is disabling local admin considered a bad / unsustainable practice? Any articles
to support disabling or against it is appreciated
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
> This is only effective if you have local admin credentials to begin with OR if you haven't encrypted the C:
We encrypted C: with McAfee & it still works ie I could boot in safe mode into command prompt & then issue
"net user administrator /active:Yes"
"net user administrator New_p8ssword"
My argument with PC support team is : from the past 6 months, they had never had a case of PCs lost
network access as they had always been able to login using a non-privileged domain account that is
a member of the PCs' local Administrator group
We encrypted C: with McAfee & it still works ie I could boot in safe mode into command prompt & then issue
"net user administrator /active:Yes"
"net user administrator New_p8ssword"
My argument with PC support team is : from the past 6 months, they had never had a case of PCs lost
network access as they had always been able to login using a non-privileged domain account that is
a member of the PCs' local Administrator group
ASKER
Also, with local admin's password the same across thousands of PCs (& not being changed regularly),
I deem it a risk : an staff who left & knows it & had remote access could stealthily commit malicious
acts & if it's disabled that requires it be physically present to boot into safe mode while pressing an
unknown key sequence to boot into command prompt, this is a lot more secure as one can't remotely
gain access unless being physically present in front of the PC
I deem it a risk : an staff who left & knows it & had remote access could stealthily commit malicious
acts & if it's disabled that requires it be physically present to boot into safe mode while pressing an
unknown key sequence to boot into command prompt, this is a lot more secure as one can't remotely
gain access unless being physically present in front of the PC
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
@sunhux - Thanks and I was happy to help with this.
ASKER
in Cyberark which gets changed every time after it's used & is valid for 1 session only & drawing
out its password requires 2 levels of approvals. Also, as it's domain account, it's SIEM monitored