Is disabling local Windows PC's administrator a bad or good practice ?

We had an internal debate on fulfilling auditor's requirement for a batch of critical PCs
(that are used for critical processing) : audit requires that login activities to the built-in local
administrator (which we had renamed)  need to be reviewed regularly by another team
(it's used by End User support team on rare occasions only when a PC lost network
 connectivity to central management tool like SCCM) :

as security person, I find it unsustainable to regularly review each time the local admin
is used to login & Audit agrees that if we disables it, then review is not needed.

Somehow, there's a way to tweak it (by replacing a binary with cmd.exe) to boot up the
PC in Safe mode so that we can get to command prompt to re-enable it back for recovery
only (I deem just simply for recovery of a 'disconnected PC' don't need review).

There's debates raised internally:

a) is disabling local admin a more secure practice than reviewing the activities (which I
    felt no organizations have the resource to have a compliance person to follow
    when login to the local admin is used).  Which of the two is more practical?

b) another proposal is to install these critical PCs with SPlunk agents to pipe its
    events to Splunk so the events of using local admins is sort of 'monitored' by
    SIEM

c) Is disabling local admin considered a bad / unsustainable practice?  Any articles
    to support disabling or against it is appreciated
sunhuxAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

sunhuxAuthor Commented:
Btw, domain admins access to PCs are accepted by Audit as we store domain admins' password
in Cyberark which gets changed every time after it's used & is valid for 1 session only & drawing
out its password requires 2 levels of approvals.  Also, as it's domain account, it's SIEM monitored
0
JohnBusiness Consultant (Owner)Commented:
From Vista forward, the Local Administrator account is disabled by default and should never be enabled.

If you need a local admin account make a separate account and member of the Administrators group. This account should have a very strong password never given out.
1

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Lee W, MVPTechnology and Business Process AdvisorCommented:
Somehow, there's a way to tweak it (by replacing a binary with cmd.exe) to boot up the
PC in Safe mode so that we can get to command prompt to re-enable it back for recovery
only (I deem just simply for recovery of a 'disconnected PC' don't need review).
This is only effective if you have local admin credentials to begin with OR if you haven't encrypted the C: drive (bitlocker).
2
Defend Against the Q2 Top Security Threats

Were you aware that overall malware worldwide was down a surprising 42% from Q1'18? Every quarter, the WatchGuard Threat Lab releases an Internet Security Report that analyzes the top threat trends impacting companies worldwide. Learn more by viewing our on-demand webinar today!

masnrockCommented:
is disabling local admin a more secure practice than reviewing the activities (which I felt no organizations have the resource to have a compliance person to follow when login to the local admin is used).  Which of the two is more practical?
Keep a local admin account. Not necessarily the built in one, but in the sense John cited. However, you're still going to have to keep audit logs. So from a compliance standpoint, the answer would be having no local admin account. But from a practicality standpoint of being able to get the job done, you're going to have to keep the local account.

another proposal is to install these critical PCs with SPlunk agents to pipe its events to Splunk so the events of using local admins is sort of 'monitored' by SIEM
This would be the most practical way to go about it. Should cover the bulk of the concerns an audit or compliance offer would have.

Is disabling local admin considered a bad / unsustainable practice?  Any articles to support disabling or against it is appreciated
It's not a bad practice per se. However, you have to understand the downside of having no local admin account at all. Namely, if there are issues where there is no way to connect to the network for authentication. Or if Windows won't start to where you might be able to use cached domain credentials.
0
sunhuxAuthor Commented:
> This is only effective if you have local admin credentials to begin with OR if you haven't encrypted the C:
We encrypted C:  with McAfee & it still works ie I could boot in safe mode into command prompt & then issue
"net user administrator /active:Yes"
"net user administrator New_p8ssword"

My argument with PC support team is : from the past 6 months, they had never had a case of PCs lost
network access as they had always been able to login using a non-privileged domain account that is
a member of the PCs' local Administrator group
0
sunhuxAuthor Commented:
Also, with local admin's password the same across thousands of PCs (& not being changed regularly),
I deem it a risk : an staff who left & knows it & had remote access could stealthily commit malicious
acts & if it's disabled that requires it be physically present to boot into safe mode while pressing an
unknown key sequence to boot into command prompt, this is a lot more secure as one can't remotely
gain access unless being physically present in front of the PC
0
masnrockCommented:
My question to you would be exactly how did that former party get to be able to remotely access systems? A policy should include revoking credentials AND changed passwords when someone in that role leaves.
0
JohnBusiness Consultant (Owner)Commented:
@sunhux - Thanks and I was happy to help with this.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
OS Security

From novice to tech pro — start learning today.