How does your organizations manage the local administrator account on workstations?

Gurus,

How does your organizations manage the local administrator account on
workstations? Typically the end-users do run with "administrative"
privileges, but a local admin account is needed to access a machine offline.
So how is this account typically named (i.e. renamed) and password secured
(i.e., complex and only a few people know it)? Then you have the problem of
having to change this password on every workstation if a member of the IT
staff leaves. Just looking for quick thoughts here, no long treatise on the
topic is necessary!

--
Spin

I meant to say "Typically the end-users don't run with "administrative"
privileges"

Hello Spin,

Also domain users can logon if they are not connected to the domain with
cached credentials, there is only a onetime domain login needed before.

If you really have the need to make your users local admins use Restricted
groups with a GPO:
http://www.frickelsoft.net/blog/?p=13

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> Gurus,
>
> How does your organizations manage the local administrator account on
> workstations? Typically the end-users do run with "administrative"
> privileges, but a local admin account is needed to access a machine
> offline. So how is this account typically named (i.e. renamed) and
> password secured (i.e., complex and only a few people know it)? Then
> you have the problem of having to change this password on every
> workstation if a member of the IT staff leaves. Just looking for
> quick thoughts here, no long treatise on the topic is necessary!
>

Likewise we make users local admins, having found limited-user working to
cause too many problems. We maintain the local Administrator password with a
small program run from the logon-script. This arrangement has the advantage
that if an installer forgets to set a password, the standardised one will be
set at next logon.

The key thing is to make sure users don't get added to the Domain Admins
group. I've seen sites that are like this, and it leaves the whole network
open to attack from any one compromised computer.

> > How does your organizations manage the local administrator account on
> > workstations? Typically the end-users do run with "administrative"
> > privileges, but a local admin account is needed to access a machine
> > offline. So how is this account typically named (i.e. renamed) and
> > password secured (i.e., complex and only a few people know it)? Then
> > you have the problem of having to change this password on every
> > workstation if a member of the IT staff leaves. Just looking for
> > quick thoughts here, no long treatise on the topic is necessary!

Hello,

renaming the account isn't helpful when people are logged in. It's useful
for remote attacker trying to brute force and can't guess it.
smacking the local admin password is easy from a boot CD. All you can do is
:
-Making things harder
-Automate check on this account and usage.

Making things harder:
-The Password length must be > 14 to prevent the storage in LM Hash of the
password (so only NTLM version). Or Storage in LM Hash format must be
prohibited by GPO.
-All workstations must have unique local admin pass. If they share the same,
anyone that got it is admin of all Workstations.
-Disable the account. It's normally not needed for day to day usage.
-Set a bios password (one per machine) and only allow boot from Disk. No CD,
USB or network.
-Enforce members of the local administrators group through GPO.

Automate checks:
-Place a logon script on it, so when it's used, it create a flag in registry
or file. So you have a clue if it was used and when.
-Audit eventlog securitty for trace of this account being used.
-Change it every X months. When changing, test for it. So will know if
someone changed it.
-Inventory Software installed on wks. Local admin rights is searched for
being able to install what you want. Especially on Notebooks, which you can
brings to your best friends, the computer expert one of course.

--
Cordialement,
Mathieu CHATEAU
English blog: http://lordoftheping.blogspot.com
French blog: http://www.lotp.fr

"Spin" <(E-Mail Removed)> a écrit dans le message de
news:(E-Mail Removed)...
> Gurus,
>
> How does your organizations manage the local administrator account on
> workstations? Typically the end-users do run with "administrative"
> privileges, but a local admin account is needed to access a machine
> offline. So how is this account typically named (i.e. renamed) and
> password secured (i.e., complex and only a few people know it)? Then you
> have the problem of having to change this password on every workstation if
> a member of the IT staff leaves. Just looking for quick thoughts here, no
> long treatise on the topic is necessary!
>
> --
> Spin

Nice advice. The only thing I can think of adding is to make sure the
computers are physically locked down with cables securing the desktops and
ideally in locked and secured rooms with limited access to those rooms on an
as needed basis and the physical locks on the computers like a computer cable
for the desktop to prevent access to the inside of the computers where
someone could physically remove the CMOS battery to reset the BIOS password.

"Mathieu CHATEAU" wrote:

> Hello,
>
> renaming the account isn't helpful when people are logged in. It's useful
> for remote attacker trying to brute force and can't guess it.
> smacking the local admin password is easy from a boot CD. All you can do is
> :
> -Making things harder
> -Automate check on this account and usage.
>
> Making things harder:
> -The Password length must be > 14 to prevent the storage in LM Hash of the
> password (so only NTLM version). Or Storage in LM Hash format must be
> prohibited by GPO.
> -All workstations must have unique local admin pass. If they share the same,
> anyone that got it is admin of all Workstations.
> -Disable the account. It's normally not needed for day to day usage.
> -Set a bios password (one per machine) and only allow boot from Disk. No CD,
> USB or network.
> -Enforce members of the local administrators group through GPO.
>
> Automate checks:
> -Place a logon script on it, so when it's used, it create a flag in registry
> or file. So you have a clue if it was used and when.
> -Audit eventlog securitty for trace of this account being used.
> -Change it every X months. When changing, test for it. So will know if
> someone changed it.
> -Inventory Software installed on wks. Local admin rights is searched for
> being able to install what you want. Especially on Notebooks, which you can
> brings to your best friends, the computer expert one of course.
>
> --
> Cordialement,
> Mathieu CHATEAU
> English blog: http://lordoftheping.blogspot.com
> French blog: http://www.lotp.fr
>
> "Spin" <(E-Mail Removed)> a écrit dans le message de
> news:(E-Mail Removed)...
> > Gurus,
> >
> > How does your organizations manage the local administrator account on
> > workstations? Typically the end-users do run with "administrative"
> > privileges, but a local admin account is needed to access a machine
> > offline. So how is this account typically named (i.e. renamed) and
> > password secured (i.e., complex and only a few people know it)? Then you
> > have the problem of having to change this password on every workstation if
> > a member of the IT staff leaves. Just looking for quick thoughts here, no
> > long treatise on the topic is necessary!
> >
> > --
> > Spin
>
>

I have heard even a workaround for this:

Write a bad bit in the bios configuration. Then the bios will return to
default at next boot.
But i don't know tool for this and needed write to do so.
Maybe by customising a bios update tool from Dell or Asus...

--
Cordialement,
Mathieu CHATEAU
English blog: http://lordoftheping.blogspot.com
French blog: http://www.lotp.fr

"Dan" <(E-Mail Removed)> a écrit dans le message de
news:7D305B84-597B-439D-B96A-(E-Mail Removed)...
> Nice advice. The only thing I can think of adding is to make sure the
> computers are physically locked down with cables securing the desktops and
> ideally in locked and secured rooms with limited access to those rooms on
> an
> as needed basis and the physical locks on the computers like a computer
> cable
> for the desktop to prevent access to the inside of the computers where
> someone could physically remove the CMOS battery to reset the BIOS
> password.
>
> "Mathieu CHATEAU" wrote:
>
>> Hello,
>>
>> renaming the account isn't helpful when people are logged in. It's useful
>> for remote attacker trying to brute force and can't guess it.
>> smacking the local admin password is easy from a boot CD. All you can do
>> is
>> :
>> -Making things harder
>> -Automate check on this account and usage.
>>
>> Making things harder:
>> -The Password length must be > 14 to prevent the storage in LM Hash of
>> the
>> password (so only NTLM version). Or Storage in LM Hash format must be
>> prohibited by GPO.
>> -All workstations must have unique local admin pass. If they share the
>> same,
>> anyone that got it is admin of all Workstations.
>> -Disable the account. It's normally not needed for day to day usage.
>> -Set a bios password (one per machine) and only allow boot from Disk. No
>> CD,
>> USB or network.
>> -Enforce members of the local administrators group through GPO.
>>
>> Automate checks:
>> -Place a logon script on it, so when it's used, it create a flag in
>> registry
>> or file. So you have a clue if it was used and when.
>> -Audit eventlog securitty for trace of this account being used.
>> -Change it every X months. When changing, test for it. So will know if
>> someone changed it.
>> -Inventory Software installed on wks. Local admin rights is searched for
>> being able to install what you want. Especially on Notebooks, which you
>> can
>> brings to your best friends, the computer expert one of course.
>>
>> --
>> Cordialement,
>> Mathieu CHATEAU
>> English blog: http://lordoftheping.blogspot.com
>> French blog: http://www.lotp.fr
>>
>> "Spin" <(E-Mail Removed)> a écrit dans le message de
>> news:(E-Mail Removed)...
>> > Gurus,
>> >
>> > How does your organizations manage the local administrator account on
>> > workstations? Typically the end-users do run with "administrative"
>> > privileges, but a local admin account is needed to access a machine
>> > offline. So how is this account typically named (i.e. renamed) and
>> > password secured (i.e., complex and only a few people know it)? Then
>> > you
>> > have the problem of having to change this password on every workstation
>> > if
>> > a member of the IT staff leaves. Just looking for quick thoughts here,
>> > no
>> > long treatise on the topic is necessary!
>> >
>> > --
>> > Spin
>>
>>

Possibly, though it would not be easy to exploit.

On this subject, bear in mind that setting and forgetting a notebook BIOS
password can effectively brick the machine. The password is typically stored
in a NVRAM chip, and sometimes the only remedy possible is to replace this
chip, which requires SMD soldering kit. This is more of a concern, especially
as there is in most cases no way to prevent a 'clever clogs' user from doing
the set/forget trick, not realising the seriousness of their blunder.

Some OEMs even go as far as provide a desktop utility that sets the NVRAM
password. Most users, on seeing this, will *think* it sets their LAN
password, with predictable consequences.

"Mathieu CHATEAU" wrote:

> I have heard even a workaround for this:
>
> Write a bad bit in the bios configuration. Then the bios will return to
> default at next boot.
> But i don't know tool for this and needed write to do so.
> Maybe by customising a bios update tool from Dell or Asus...
>

"Anteaus" <(E-Mail Removed)> wrote in message
news:7722DB1B-B8CA-47CD-A2C2-(E-Mail Removed)...
> Likewise we make users local admins, having found limited-user working to
> cause too many problems. We maintain the local Administrator password with
> a
> small program run from the logon-script. This arrangement has the
> advantage
> that if an installer forgets to set a password, the standardised one will
> be
> set at next logon.
>
> The key thing is to make sure users don't get added to the Domain Admins
> group. I've seen sites that are like this, and it leaves the whole network
> open to attack from any one compromised computer.
>
>> > How does your organizations manage the local administrator account on
>> > workstations? Typically the end-users do run with "administrative"
>> > privileges, but a local admin account is needed to access a machine
>> > offline. So how is this account typically named (i.e. renamed) and
>> > password secured (i.e., complex and only a few people know it)? Then
>> > you have the problem of having to change this password on every
>> > workstation if a member of the IT staff leaves. Just looking for
>> > quick thoughts here, no long treatise on the topic is necessary!
>

I could argue that your entire client infrastructure is open to high risk,
not just of attack/compromise but perhaps more significantly for violation
of information privacy. Consider, any account (you say they are admins)
can get the local admin password from the program used to set that pwd.
It might take a little effort, but I would bet that you cannot prevent that.
So, any accont can obtain a password valid for admin access on any of
the client systems. That basically means that anything stored on any of
those systems is or can be made available. As for network stored data
it would only by a keylogger away.

Roger
PS We have found that users can function without problem as non-admin.

You have listed some good techniques Mathieu, thanks for sharing.
Roger

"Mathieu CHATEAU" <(E-Mail Removed)> wrote in message
news:48b93cf6$0$10452$(E-Mail Removed)...
> Hello,
>
> renaming the account isn't helpful when people are logged in. It's useful
> for remote attacker trying to brute force and can't guess it.
> smacking the local admin password is easy from a boot CD. All you can do
> is :
> -Making things harder
> -Automate check on this account and usage.
>
> Making things harder:
> -The Password length must be > 14 to prevent the storage in LM Hash of the
> password (so only NTLM version). Or Storage in LM Hash format must be
> prohibited by GPO.
> -All workstations must have unique local admin pass. If they share the
> same, anyone that got it is admin of all Workstations.
> -Disable the account. It's normally not needed for day to day usage.
> -Set a bios password (one per machine) and only allow boot from Disk. No
> CD, USB or network.
> -Enforce members of the local administrators group through GPO.
>
> Automate checks:
> -Place a logon script on it, so when it's used, it create a flag in
> registry or file. So you have a clue if it was used and when.
> -Audit eventlog securitty for trace of this account being used.
> -Change it every X months. When changing, test for it. So will know if
> someone changed it.
> -Inventory Software installed on wks. Local admin rights is searched for
> being able to install what you want. Especially on Notebooks, which you
> can brings to your best friends, the computer expert one of course.
>
> --
> Cordialement,
> Mathieu CHATEAU
> English blog: http://lordoftheping.blogspot.com
> French blog: http://www.lotp.fr
>
> "Spin" <(E-Mail Removed)> a écrit dans le message de
> news:(E-Mail Removed)...
>> Gurus,
>>
>> How does your organizations manage the local administrator account on
>> workstations? Typically the end-users do run with "administrative"
>> privileges, but a local admin account is needed to access a machine
>> offline. So how is this account typically named (i.e. renamed) and
>> password secured (i.e., complex and only a few people know it)? Then you
>> have the problem of having to change this password on every workstation
>> if a member of the IT staff leaves. Just looking for quick thoughts
>> here, no long treatise on the topic is necessary!
>>
>> --
>> Spin
>