Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

3/1/2013
09:40 AM
John H. Sawyer
John H. Sawyer
Commentary
50%
50%

Defending Local Administrator Accounts

One compromised desktop is all is usually takes for complete network ownership by an attacker; local admin accounts are often the mechanism for that escalation

In my Tech Insight article in November, I discussed the issue of managing privileged accounts within an enterprise. One area I didn't really touch on was how to protect the local administrator accounts on desktops. The administrator account on corporate desktops often isn't much different than shared accounts that are used on network devices or other systems.

Why? Well, since IT staff regularly uses the same local administrator password on all user workstations, and sometimes a slightly more complex one across all servers, it's essentially a shared account distributed across numerous systems.

What's the big deal, right? I'm just talking about a local account, so who cares? While it may not seem to be an issue at first, I can show you a dozen different ways regarding how compromising that one local administrator password used on all the user desktops leads directly to the compromise of the entire Microsoft Active Directory domain within 15 minutes or less.

Shocking? For experienced security pros and penetration testers, it's no surprise. The process from local admin to domain administrator is simply a matter of a quick search across other desktops looking for an active Domain Administrator account (or a process running with Domain Admin privileges), and BLAM, domain pwnage! Or, as Tom Liston mentioned on Twitter, we become Chinese APT.

The question I get most often is how to protect the local administrator account? Step 1: DO NOT allow users to be administrators on their local desktops. Users with admin rights bring along numerous support headaches (e.g., rogue software installs, greater system impact when infected with malware). But, in particular, those users put any local administrator accounts and privileged domain accounts on that system at risk. The user could dump the local password hashes and crack the administrator account's password at their leisure or perform a pass the hash attack. Either way, the user (or attacker) gets access to all desktops using that password (or hash).

The second step is to ensure that all desktops have a unique local administrator password. If a user or attacker were to compromise the local administrator password of one desktop, then they only have full admin access to that one desktop and not all desktops. From an attacker standpoint, this makes lateral movement within the enterprise much more difficult. Unless, of course, the first desktop compromised has a domain administrator account logged in, then it's game over, but the likelihood of that happening is slim unless the attacker already knew which desktop to target.

In upcoming blog posts, I'll discuss some of the free and commercial tools that can be used to protect the local administrator accounts, along with some of the attack methods for getting to that account and how to defend against those attacks. Many of the attack methods and defense tools are the same that we use during penetration testing and cover in our recommendations to clients. It should be a fun series of posts.

John Sawyer is a Senior Security Analyst with InGuardians, Inc. The views and opinions expressed in this blog are his own and do not represent those of his employer. He can be reached at [email protected] and found on Twitter @johnhsawyer.

 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
mortenpe
50%
50%
mortenpe,
User Rank: Apprentice
3/8/2013 | 9:33:30 AM
re: Defending Local Administrator Accounts
Seen this work from Microsoft?

http://code.msdn.microsoft.com...

Solution for management of built-in Administrator account's password via GPO

Solution for management of builtin
Administrator account's password via GPO using custom Client-Side GPO
Extension.
Solution periodically changes pwd of admin account to random value; it
stores current builtin admin password in AD confidential attribute on
computer account
CHV4L
50%
50%
CHV4L,
User Rank: Apprentice
3/1/2013 | 4:53:59 PM
re: Defending Local Administrator Accounts
great timing
im doing an audit of my workplace and there were lots of local admin accounts.
so ive been taking them all away a batch at a time in case anything breaks, so far so good.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/3/2020
Pen Testers Who Got Arrested Doing Their Jobs Tell All
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/5/2020
New 'Nanodegree' Program Provides Hands-On Cybersecurity Training
Nicole Ferraro, Contributing Writer,  8/3/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15820
PUBLISHED: 2020-08-08
In JetBrains YouTrack before 2020.2.6881, the markdown parser could disclose hidden file existence.
CVE-2020-15821
PUBLISHED: 2020-08-08
In JetBrains YouTrack before 2020.2.6881, a user without permission is able to create an article draft.
CVE-2020-15823
PUBLISHED: 2020-08-08
JetBrains YouTrack before 2020.2.8873 is vulnerable to SSRF in the Workflow component.
CVE-2020-15824
PUBLISHED: 2020-08-08
In JetBrains Kotlin before 1.4.0, there is a script-cache privilege escalation vulnerability due to kotlin-main-kts cached scripts in the system temp directory, which is shared by all users by default.
CVE-2020-15825
PUBLISHED: 2020-08-08
In JetBrains TeamCity before 2020.1, users with the Modify Group permission can elevate other users' privileges.