Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


09:40 AM
John H. Sawyer
John H. Sawyer

Defending Local Administrator Accounts

One compromised desktop is all is usually takes for complete network ownership by an attacker; local admin accounts are often the mechanism for that escalation

In my Tech Insight article in November, I discussed the issue of managing privileged accounts within an enterprise. One area I didn't really touch on was how to protect the local administrator accounts on desktops. The administrator account on corporate desktops often isn't much different than shared accounts that are used on network devices or other systems.

Why? Well, since IT staff regularly uses the same local administrator password on all user workstations, and sometimes a slightly more complex one across all servers, it's essentially a shared account distributed across numerous systems.

What's the big deal, right? I'm just talking about a local account, so who cares? While it may not seem to be an issue at first, I can show you a dozen different ways regarding how compromising that one local administrator password used on all the user desktops leads directly to the compromise of the entire Microsoft Active Directory domain within 15 minutes or less.

Shocking? For experienced security pros and penetration testers, it's no surprise. The process from local admin to domain administrator is simply a matter of a quick search across other desktops looking for an active Domain Administrator account (or a process running with Domain Admin privileges), and BLAM, domain pwnage! Or, as Tom Liston mentioned on Twitter, we become Chinese APT.

The question I get most often is how to protect the local administrator account? Step 1: DO NOT allow users to be administrators on their local desktops. Users with admin rights bring along numerous support headaches (e.g., rogue software installs, greater system impact when infected with malware). But, in particular, those users put any local administrator accounts and privileged domain accounts on that system at risk. The user could dump the local password hashes and crack the administrator account's password at their leisure or perform a pass the hash attack. Either way, the user (or attacker) gets access to all desktops using that password (or hash).

The second step is to ensure that all desktops have a unique local administrator password. If a user or attacker were to compromise the local administrator password of one desktop, then they only have full admin access to that one desktop and not all desktops. From an attacker standpoint, this makes lateral movement within the enterprise much more difficult. Unless, of course, the first desktop compromised has a domain administrator account logged in, then it's game over, but the likelihood of that happening is slim unless the attacker already knew which desktop to target.

In upcoming blog posts, I'll discuss some of the free and commercial tools that can be used to protect the local administrator accounts, along with some of the attack methods for getting to that account and how to defend against those attacks. Many of the attack methods and defense tools are the same that we use during penetration testing and cover in our recommendations to clients. It should be a fun series of posts.

John Sawyer is a Senior Security Analyst with InGuardians, Inc. The views and opinions expressed in this blog are his own and do not represent those of his employer. He can be reached at [email protected] and found on Twitter @johnhsawyer.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
3/8/2013 | 9:33:30 AM
re: Defending Local Administrator Accounts
Seen this work from Microsoft?


Solution for management of built-in Administrator account's password via GPO

Solution for management of builtin
Administrator account's password via GPO using custom Client-Side GPO
Solution periodically changes pwd of admin account to random value; it
stores current builtin admin password in AD confidential attribute on
computer account
User Rank: Apprentice
3/1/2013 | 4:53:59 PM
re: Defending Local Administrator Accounts
great timing
im doing an audit of my workplace and there were lots of local admin accounts.
so ive been taking them all away a batch at a time in case anything breaks, so far so good.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/25/2020
Hacking Yourself: Marie Moe and Pacemaker Security
Gary McGraw Ph.D., Co-founder Berryville Institute of Machine Learning,  9/21/2020
Startup Aims to Map and Track All the IT and Security Things
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/22/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, when determining the common dimension size of two tensors, TFLite uses a `DCHECK` which is no-op outside of debug compilation modes. Since the function always returns the dimension of the first tensor, malicious attackers can ...
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, a crafted TFLite model can force a node to have as input a tensor backed by a `nullptr` buffer. This can be achieved by changing a buffer index in the flatbuffer serialization to convert a read-only tensor to a read-write one....
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, if a TFLite saved model uses the same tensor as both input and output of an operator, then, depending on the operator, we can observe a segmentation fault or just memory corruption. We have patched the issue in d58c96946b and ...
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, saved models in the flatbuffer format use a double indexing scheme: a model has a set of subgraphs, each subgraph has a set of operators and each operator has a set of input/output tensors. The flatbuffer format uses indices f...
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 2.2.1 and 2.3.1, models using segment sum can trigger writes outside of bounds of heap allocated buffers by inserting negative elements in the segment ids tensor. Users having access to `segment_ids_data` can alter `output_index` and then write to outside of `outpu...