RE: Removing Local Admin Accounts - What do you think?



Rob,

From experience, IT people will need admin access to the local PC's, but
it was always best to add them to the admins group rather than share the
admin account password. This allows you to have some logging (if you
enable it of course) in the event that you have a security issue.

As for the admin account it self, I would rename it, and limit who has
that password. Not sure that this is a universal best practice, but
have seen that done by some universities as well as some medical groups.

Not sure that you can delete it completely though. End user wise, I
have yet to find an application that could not run without admin rights.
Saying that, you may have to run the old sysinteral apps to see what reg
keys and file permissions need tweaked.

Thanks
Brian


On Jan 13, 2008 7:19 PM, Rob Thompson <my.security.lists@xxxxxxxxx>
wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Dear List,

I am looking for a general consensus from my peers. If you are able
to answer this with definite knowledge and not an assumption and you
fully understand what you are saying, please reply to this message. I

do not mean to be rude, but if you are not sure, please do not respond

to this message.

I am asking this as I will be presenting this to a company, as they
have proposed this idea and I want to show them exactly what they are
considering getting themselves into.

What is your professional opinion on removing the local administrator
account?

Does this pose a security risk to have a local administrator account
on a computer, so that IT staff (which are the only people in the
organization that are entitled to this user/pass) can do work on a
computer in a way that can not be "securely" audited? What I mean by
this is, they all use this one account (for emergencies only), instead

of using their own credentials over the network - thereby showing the
local admin account was used, but not who used it.

What are the risks involved in removing this account?

Is this a general best practice, from a security point of view?

If not, what is the best practice from a security point of view?

Lastly, do you believe or not, that if the IT staff wanted to
compromise a box, anonymously, would they really need this local
administrator account on the box? Or would they still be able to do
this, without the account there? Why?

I sincerely appreciate your time and thank you in advance for any
answers that you may pose. Also, if you see something that I did not
consider in my questions, please feel free to include that as well.

Please remember, if you think that this is a wise decision or not,
PLEASE state your answers and why.


- --
Rob

+-=-=-=-=-=-=-=-=-=-=-=-=-=-=-+
| _ |
| ASCII ribbon campaign ( ) |
| - against HTML email X |
| / \ |
| |
+-=-=-=-=-=-=-=-=-=-=-=-=-=-=-+
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (MingW32)

iEYEARECAAYFAkeKZCsACgkQcfN68iZZIcf9SgCgii4WMWjE8upNop/TvA41sqpJ
2GgAoNnC7iU1OT8GAPVkouK0UlfHfqkN
=67NY
-----END PGP SIGNATURE-----




Relevant Pages

  • Re: Active Directory Security
    ... Although you can lock the admin account as soon as the valid password for the admin account is provided the system automatically unlocks this special account and allows it to log on. ... >> There is plenty of security in place to protect your assets in AD.>> Users ...
    (microsoft.public.windows.server.active_directory)
  • Re: renaming administrator account
    ... > This is why renaming the administrator account is more security theater than ... it gives more than just a theater. ... i have had sometimes and admin account called "guest" and guest account ...
    (microsoft.public.windows.server.security)
  • Re: How good is Comodo Internet Security?
    ... Admin account + web browser + LUA token ... admin account opposed of running as iam now, which is JUST PURE admin level? ... While LUA gives added security, ... payload delivered by a buffer overrun (assuming the app was allowed to ...
    (comp.security.firewalls)
  • Re: Disk Utility/encrypted images - choices
    ... it means he has chosen to use less security. ... One has to deliberately go in and set this system to not log in to the first account by default. ... Also on my daughter's machine I only have one account (an admin account) for myself, while on machines that I use more frequently, I have two accounts for myself, admin and regular. ...
    (comp.sys.mac.system)
  • Re: domain admin account impersontating
    ... i guees that the bottom line is that the domain admin account can be ... with the same username and password. ... Starting with Windows XP this became less simple, ...
    (microsoft.public.windows.server.security)