Perimeter

3/15/2013
02:45 PM
John H. Sawyer
John H. Sawyer
Commentary
50%
50%

Managing The Local Admin Password Headache

Forcing and managing unique passwords on Windows systems in an enterprise network can be challenging, but many tools are out there to help

In my past couple of blog entries, I wrote about some protection mechanisms for keeping the local administrator account safe on Windows systems. There are many reasons for wanting to keep the admin account safe. Some IT shops may say their primary reason is prevention against an attacker spreading further throughout the network, while others are more concerned about users elevating their privileges and modifying their systems, which introduces so many additional problems.

From a security perspective, I lean toward the former explanation, but the latter is also valid. I've seen all too often during penetration tests that we've performed that as soon as we get a local administrator on one system, all other systems fall, and we're minutes from domain admin. From there, we can pillage all we want in order to find the necessary information to take control of the network infrastructure, Unix environment, virtualization environment, etc.

While having unique passwords for the local administrator accounts on the Windows (and Unix) systems won't stop an experienced attacker, it will slow them down. That slowdown will hopefully be enough to cause the attacker to make a mistake, trigger antivirus, or generate a log event that allows you to detect him.

The following is a sampling of products that can assist in creating unique passwords for the local administrator accounts in a Microsoft Windows environment. Some of the commercial offerings are cross-platform and can also handle Unix-based systems, network devices, and more. For now, I'm more focused on the Windows side of things.

This is a list of some of the many commercial solutions I've come across as I've researched the topic for clients. Many "privileged identity management" solutions are available on the market that can manage local admin accounts.

This is a list of free and/or open-source applications and scripts that do everything from remotely change passwords on a list of systems to create random passwords via group policies. My "roots" are in a large university environment, so I like free and open-source tools, but you get what you pay for, so be careful with some of these.

Initially, I wasn't a fan of randomizing local passwords to something you don't know, but the more I thought about it over time, I realized that it doesn't matter. Obviously, if the system is part of a domain, then you should be able to do anything you need to remotely connect over the network. If, for some reason, there is a problem and the system cannot connect to the network, then there are plenty of tools out there that will let you boot the system and modify or bypass the local admin password so that you can get in.

If you have any practical experience with any of the tools above, please leave a comment or send me an e-mail. I've had clients implement several of the commercial solutions, but none of the free options. I'd be interested to hear how they've worked out.

John Sawyer is a Senior Security Analyst with InGuardians, Inc. The views and opinions expressed in this blog are his own and do not represent those of his employer. He can be reached at [email protected] and found on Twitter @johnhsawyer.

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
kmasters787
50%
50%
kmasters787,
User Rank: Apprentice
3/17/2013 | 4:43:32 AM
re: Managing The Local Admin Password Headache
Great timing on this article! -I'll be pursuing a workable solution for my company very soon around unique local admin passwords. -For us, having the ability to find the random local admin password is a must. -(Execs always on the move that get locked out when 1000's of miles away) -Does the "...Randomization via GPO" solution give the ability to-look-up-the random password?
jeffmcjunkin
50%
50%
jeffmcjunkin,
User Rank: Apprentice
3/20/2013 | 4:13:46 AM
re: Managing The Local Admin Password Headache
Jeff McJunkin here, the author of the relevant article.

No, that particular solution doesn't give the ability to look up the random password. Group Policy scripts are inherently viewable by standard users, so any programmatic way of setting the local Administrator passwords would be discoverable in a trivial fashion by any authenticated user.

PXE booting to something like "NT Password Reset" or Kon-Boot does the trick for me (relevant article:-http://jeffmcjunkin.com/2012/0....

If you do end up setting per-desktop passwords, I'd recommend setting it to something like the first 16 characters of SHA1(desktop serial / identifier + known salt). Of course, the salt used in the hashing algorithm would become very important to keep secret.
Will N
50%
50%
Will N,
User Rank: Apprentice
3/20/2013 | 2:54:37 PM
re: Managing The Local Admin Password Headache
A random unknown password is only more secure to the extent someone doesn't need administrative rights.- The biggest nightmare for us is not having admin credentials when the user is remote.- An executive that can't update their VPN software or otherwise fix something is a nightmare for IT staff.-- The first tenent of security is data availability and my experience is that the most common security failure is this self inflicted denial of availability when someone needs admin and can't get it.

This must be a difficult problem to solve since no one is really
offering anything that works to keep admin credentials both secure, and
available when needed.

USB or CD booting for a password reset with some ugly tool like Kon Boot isn't really a viable solution for tech challenged road warriors. They have to carry along a cd or usb every time they leave the network?- Most people barely keep track of their power supply.
RobertL444
50%
50%
RobertL444,
User Rank: Apprentice
4/22/2014 | 11:04:40 PM
re: Managing The Local Admin Password Headache
Hello Will:

 

When you get an opportunity, please take a look at Synergix AD Client Extensions software.  It has a feature to manage Built-In Administrator Account Password.  The password is system generated ( from 8 characters to 48 characters that you set in a GPO ) and is stored in Active Directory.   Only designated administrators are allowed to retrieve the password.  In addition, you can create a backup administrator account.

The password is changed every 7 days ( configurable ) and validated every 24 hours.  This solution is not only useful for the remote laptop users who may have VPN connectivity issues but generally speaking ideal solution for the enterprise.

Take a look at http://www.synergix.com or write to [email protected]

 
Four Faces of Fraud: Identity, 'Fake' Identity, Ransomware & Digital
David Shefter, Chief Technology Officer at Ziften Technologies,  6/14/2018
Meet 'Bro': The Best-Kept Secret of Network Security
Greg Bell, CEO, Corelight,  6/14/2018
Containerized Apps: An 8-Point Security Checklist
Jai Vijayan, Freelance writer,  6/14/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-9036
PUBLISHED: 2018-06-20
CheckSec Canopy 3.x before 3.0.7 has stored XSS via the Login Page Disclaimer, allowing attacks by low-privileged users against higher-privileged users.
CVE-2018-12327
PUBLISHED: 2018-06-20
Stack-based buffer overflow in ntpq and ntpdc of NTP version 4.2.8p11 allows an attacker to achieve code execution or escalate to higher privileges via a long string as the argument for an IPv4 or IPv6 command-line parameter. NOTE: It is unclear whether there are any common situations in which ntpq ...
CVE-2018-12558
PUBLISHED: 2018-06-20
The parse() method in the Email::Address module through 1.909 for Perl is vulnerable to Algorithmic complexity on specially prepared input, leading to Denial of Service. Prepared special input that caused this problem contained 30 form-field characters ("\f").
CVE-2018-6563
PUBLISHED: 2018-06-20
Multiple cross-site request forgery (CSRF) vulnerabilities in totemomail Encryption Gateway before 6.0.0_Build_371 allow remote attackers to hijack the authentication of users for requests that (1) change user settings, (2) send emails, or (3) change contact information by leveraging lack of an anti...
CVE-2018-1120
PUBLISHED: 2018-06-20
A flaw was found affecting the Linux kernel before version 4.17. By mmap()ing a FUSE-backed file onto a process's memory containing command line arguments (or environment strings), an attacker can cause utilities from psutils or procps (such as ps, w) or any other program which makes a read() call t...