Why? Well, since IT staff regularly uses the same local administrator password on all user workstations, and sometimes a slightly more complex one across all servers, it's essentially a shared account distributed across numerous systems.
What's the big deal, right? I'm just talking about a local account, so who cares? While it may not seem to be an issue at first, I can show you a dozen different ways regarding how compromising that one local administrator password used on all the user desktops leads directly to the compromise of the entire Microsoft Active Directory domain within 15 minutes or less.
Shocking? For experienced security pros and penetration testers, it's no surprise. The process from local admin to domain administrator is simply a matter of a quick search across other desktops looking for an active Domain Administrator account (or a process running with Domain Admin privileges), and BLAM, domain pwnage! Or, as Tom Liston mentioned on Twitter, we become Chinese APT.
The question I get most often is how to protect the local administrator account? Step 1: DO NOT allow users to be administrators on their local desktops. Users with admin rights bring along numerous support headaches (e.g., rogue software installs, greater system impact when infected with malware). But, in particular, those users put any local administrator accounts and privileged domain accounts on that system at risk. The user could dump the local password hashes and crack the administrator account's password at their leisure or perform a pass the hash attack. Either way, the user (or attacker) gets access to all desktops using that password (or hash).
The second step is to ensure that all desktops have a unique local administrator password. If a user or attacker were to compromise the local administrator password of one desktop, then they only have full admin access to that one desktop and not all desktops. From an attacker standpoint, this makes lateral movement within the enterprise much more difficult. Unless, of course, the first desktop compromised has a domain administrator account logged in, then it's game over, but the likelihood of that happening is slim unless the attacker already knew which desktop to target.
In upcoming blog posts, I'll discuss some of the free and commercial tools that can be used to protect the local administrator accounts, along with some of the attack methods for getting to that account and how to defend against those attacks. Many of the attack methods and defense tools are the same that we use during penetration testing and cover in our recommendations to clients. It should be a fun series of posts.
John Sawyer is a Senior Security Analyst with InGuardians, Inc. The views and opinions expressed in this blog are his own and do not represent those of his employer. He can be reached at [email protected] and found on Twitter @johnhsawyer.