Re: Removing Local Admin Accounts - What do you think?

On 2008-01-13 Rob Thompson wrote:
I am asking this as I will be presenting this to a company, as they
have proposed this idea and I want to show them exactly what they are
considering getting themselves into.

What is your professional opinion on removing the local administrator
account?

Don't do it. The local administrator account exists for local system
administration and troubleshooting purposes, e.g. in situations where
for some reason the box is unable to access the network.

Does this pose a security risk to have a local administrator account
on a computer, so that IT staff (which are the only people in the
organization that are entitled to this user/pass) can do work on a
computer in a way that can not be "securely" audited? What I mean by
this is, they all use this one account (for emergencies only), instead
of using their own credentials over the network - thereby showing the
local admin account was used, but not who used it.

Yes, that is possible. However, anyone with administrative privileges is
able to bypass auditing measures anyway.

What are the risks involved in removing this account?

See above.

Is this a general best practice, from a security point of view?

Not that I'm aware of.

If not, what is the best practice from a security point of view?

Give administrative privileges only to trusted persons. Use strong
passwords for local admin accounts and change them on a regular basis.

Lastly, do you believe or not, that if the IT staff wanted to
compromise a box, anonymously, would they really need this local
administrator account on the box? Or would they still be able to do
this, without the account there? Why?

Yes, they can do that anyway, e.g. by booting some other system from
removable media.

Regards
Ansgar Wiechers
--
"All vulnerabilities deserve a public fear period prior to patches
becoming available."
--Jason Coombs on Bugtraq

Relevant Pages

  • Re: XP Home --> Pro upgrade
    ... WinXP is designed to install and upgrade the existing operating system while simultaneously preserving your applications and data, and translating as many personalized settings as possible. ... The standard security practice is to rename the account, set a strong password on it, and use it only to create another account for regular use, reserving the Administrator account as a "back door" in case something corrupts your regular account. ... As for other accounts with administrative privileges, routinely using a computer with administrative privileges is not without some risk. ...
    (microsoft.public.windowsxp.general)
  • Re: Event 1202 Warnings after Renaming Administrator Acct on SBS2003
    ... policy to rename the account although it is not really necessary or useful. ... Did I check Group Policies for references to the Administrator ... Failed to perform redirection of folder Desktop. ...
    (microsoft.public.windows.server.general)
  • Event 1202 Warnings after Renaming Administrator Acct on SBS2003
    ... one referencing the original administrator account: ... specific policy setting that was flagged with a big, ... I used an incorrect procedure to rename the ...
    (microsoft.public.windows.server.general)
  • Re: Event 1202 Warnings after Renaming Administrator Acct on SBS2003
    ... Did you check the Group Policies for references to the Administrator ... Administrator account? ... what policy do you have? ... referencing the former administrator account. ...
    (microsoft.public.windows.server.general)
  • Event 1202 Warnings after Renaming Administrator Acct on SBS2003
    ... Did I check Group Policies for references to the Administrator account? ... enabling the Rename Administrator account policy in Group Policy. ... Failed to perform redirection of folder Desktop. ...
    (microsoft.public.windows.server.general)