From a security perspective, I lean toward the former explanation, but the latter is also valid. I've seen all too often during penetration tests that we've performed that as soon as we get a local administrator on one system, all other systems fall, and we're minutes from domain admin. From there, we can pillage all we want in order to find the necessary information to take control of the network infrastructure, Unix environment, virtualization environment, etc.
While having unique passwords for the local administrator accounts on the Windows (and Unix) systems won't stop an experienced attacker, it will slow them down. That slowdown will hopefully be enough to cause the attacker to make a mistake, trigger antivirus, or generate a log event that allows you to detect him.
The following is a sampling of products that can assist in creating unique passwords for the local administrator accounts in a Microsoft Windows environment. Some of the commercial offerings are cross-platform and can also handle Unix-based systems, network devices, and more. For now, I'm more focused on the Windows side of things.
This is a list of some of the many commercial solutions I've come across as I've researched the topic for clients. Many "privileged identity management" solutions are available on the market that can manage local admin accounts.
- Lieberman Software: Random Password Manager and Enterprise Random Password Manager
- Arellia: Local Security Solution
- Quest: One Privileged Password Manager
- Cyber Ark: Enterprise Password Vault
- Thycoti: Secret Server
This is a list of free and/or open-source applications and scripts that do everything from remotely change passwords on a list of systems to create random passwords via group policies. My "roots" are in a large university environment, so I like free and open-source tools, but you get what you pay for, so be careful with some of these.
- Step-by-step Implementation of Local Administrator Password Randomization Script: This is one of the better scripts and write-ups that I've come across. Jeff also makes a good point that I hadn't mentioned before. Disable the local admin's ability to logon to the computer via the network (SeDenyNetworkLogonRight).
- Admin Account Password Randomization via GPO: This is an impressive solution that has been updated several times since it was first published. The author states he developed it for a client with more than 10,000 systems, and it has been operating there for several years with no problems. I plan to test this one soon.
- XS BAP: This one is useful because you can track the passwords if you need to, but it also introduces the potential for a master list of passwords to be stolen. I'd also be concerned about scalability, but it would work well in a small environment.
- Passgen: This was created by Steve Riley and Jesper Johannson for their "Protect Your Windows Network" book in 2005. I haven't used it in several years, but it should still work.
Initially, I wasn't a fan of randomizing local passwords to something you don't know, but the more I thought about it over time, I realized that it doesn't matter. Obviously, if the system is part of a domain, then you should be able to do anything you need to remotely connect over the network. If, for some reason, there is a problem and the system cannot connect to the network, then there are plenty of tools out there that will let you boot the system and modify or bypass the local admin password so that you can get in.
If you have any practical experience with any of the tools above, please leave a comment or send me an e-mail. I've had clients implement several of the commercial solutions, but none of the free options. I'd be interested to hear how they've worked out.
John Sawyer is a Senior Security Analyst with InGuardians, Inc. The views and opinions expressed in this blog are his own and do not represent those of his employer. He can be reached at [email protected] and found on Twitter @johnhsawyer.