Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

3/1/2013
09:40 AM
John H. Sawyer
John H. Sawyer
Commentary
50%
50%

Defending Local Administrator Accounts

One compromised desktop is all is usually takes for complete network ownership by an attacker; local admin accounts are often the mechanism for that escalation

In my Tech Insight article in November, I discussed the issue of managing privileged accounts within an enterprise. One area I didn't really touch on was how to protect the local administrator accounts on desktops. The administrator account on corporate desktops often isn't much different than shared accounts that are used on network devices or other systems.

Why? Well, since IT staff regularly uses the same local administrator password on all user workstations, and sometimes a slightly more complex one across all servers, it's essentially a shared account distributed across numerous systems.

What's the big deal, right? I'm just talking about a local account, so who cares? While it may not seem to be an issue at first, I can show you a dozen different ways regarding how compromising that one local administrator password used on all the user desktops leads directly to the compromise of the entire Microsoft Active Directory domain within 15 minutes or less.

Shocking? For experienced security pros and penetration testers, it's no surprise. The process from local admin to domain administrator is simply a matter of a quick search across other desktops looking for an active Domain Administrator account (or a process running with Domain Admin privileges), and BLAM, domain pwnage! Or, as Tom Liston mentioned on Twitter, we become Chinese APT.

The question I get most often is how to protect the local administrator account? Step 1: DO NOT allow users to be administrators on their local desktops. Users with admin rights bring along numerous support headaches (e.g., rogue software installs, greater system impact when infected with malware). But, in particular, those users put any local administrator accounts and privileged domain accounts on that system at risk. The user could dump the local password hashes and crack the administrator account's password at their leisure or perform a pass the hash attack. Either way, the user (or attacker) gets access to all desktops using that password (or hash).

The second step is to ensure that all desktops have a unique local administrator password. If a user or attacker were to compromise the local administrator password of one desktop, then they only have full admin access to that one desktop and not all desktops. From an attacker standpoint, this makes lateral movement within the enterprise much more difficult. Unless, of course, the first desktop compromised has a domain administrator account logged in, then it's game over, but the likelihood of that happening is slim unless the attacker already knew which desktop to target.

In upcoming blog posts, I'll discuss some of the free and commercial tools that can be used to protect the local administrator accounts, along with some of the attack methods for getting to that account and how to defend against those attacks. Many of the attack methods and defense tools are the same that we use during penetration testing and cover in our recommendations to clients. It should be a fun series of posts.

John Sawyer is a Senior Security Analyst with InGuardians, Inc. The views and opinions expressed in this blog are his own and do not represent those of his employer. He can be reached at [email protected] and found on Twitter @johnhsawyer.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
mortenpe
50%
50%
mortenpe,
User Rank: Apprentice
3/8/2013 | 9:33:30 AM
re: Defending Local Administrator Accounts
Seen this work from Microsoft?

http://code.msdn.microsoft.com...

Solution for management of built-in Administrator account's password via GPO

Solution for management of builtin
Administrator account's password via GPO using custom Client-Side GPO
Extension.
Solution periodically changes pwd of admin account to random value; it
stores current builtin admin password in AD confidential attribute on
computer account
CHV4L
50%
50%
CHV4L,
User Rank: Apprentice
3/1/2013 | 4:53:59 PM
re: Defending Local Administrator Accounts
great timing
im doing an audit of my workplace and there were lots of local admin accounts.
so ive been taking them all away a batch at a time in case anything breaks, so far so good.
News
A Startup With NSA Roots Wants Silently Disarming Cyberattacks on the Wire to Become the Norm
Kelly Jackson Higgins, Executive Editor at Dark Reading,  5/11/2021
Edge-DRsplash-10-edge-articles
Cybersecurity: What Is Truly Essential?
Joshua Goldfarb, Director of Product Management at F5,  5/12/2021
Commentary
3 Cybersecurity Myths to Bust
Etay Maor, Sr. Director Security Strategy at Cato Networks,  5/11/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-19924
PUBLISHED: 2021-05-18
In Boostnote 0.12.1, exporting to PDF contains opportunities for XSS attacks.
CVE-2020-20220
PUBLISHED: 2021-05-18
Mikrotik RouterOs prior to stable 6.47 suffers from a memory corruption vulnerability in the /nova/bin/bfd process. An authenticated remote attacker can cause a Denial of Service (NULL pointer dereference).
CVE-2020-20227
PUBLISHED: 2021-05-18
Mikrotik RouterOs stable 6.47 suffers from a memory corruption vulnerability in the /nova/bin/diskd process. An authenticated remote attacker can cause a Denial of Service due to invalid memory access.
CVE-2020-20245
PUBLISHED: 2021-05-18
Mikrotik RouterOs stable 6.46.3 suffers from a memory corruption vulnerability in the log process. An authenticated remote attacker can cause a Denial of Service due to improper memory access.
CVE-2020-20246
PUBLISHED: 2021-05-18
Mikrotik RouterOs stable 6.46.3 suffers from a memory corruption vulnerability in the mactel process. An authenticated remote attacker can cause a Denial of Service due to improper memory access.