Local Admin Passwords: The Hidden Security Risk
You’re a good administrator, and you don’t take shortcuts. You adhere to information security best practices whenever possible, and you take that responsibility seriously.
With that said, a hidden setting in a Windows 10 implementation scenario might result in a precarious setup – one in which every computer in your network can be accessed with the same password. In other words, a hacker would only need to steal a single credential in order to obtain the keys to your entire kingdom. Due to an upcoming change in the Windows platform, there’s a good chance that this could happen to you – here’s how to avoid it.
Local Administrator Users Explained
Every Windows PC needs an administrator – the default local administrator user – once it’s first set up. This administrator is mostly irrelevant to the process of managing endpoints within an enterprise environment. Endpoints get managed by the domain administrator, not the local administrator. Typically, you’ll only use local administrator access if your network goes down and you need to access a computer manually.
Windows 10 disables local administrators by default, but the local administrator issue is still cropping up. How does this happen?
Right now, many companies are deploying Windows 10 for the first time due to the impending sunset of support for Windows 7. This process usually involves provisioning every computer with a copy of the same Windows 10 image. Administrators often re-enable local administrators in Windows 10, because they need local access to their computers in the event of a disaster. If they configure their Windows 10 computers with an image that has the local administrator enabled, then every computer that’s provisioned via that image will have the same credentials.
In short, one password can be used to unlock every endpoint!
What’s the Worst-Case Scenario?
If every local administrator account has the same password, it may not be obvious. Your users don’t usually access their endpoints using their administrator accounts, after all. This fact is discoverable to a malicious user or attacker, however.
Using their local SAM account, or tools such as mimikatz or impacket, an attacker or malicious user could discover their own local administrator password. Since many attackers know about this potential vulnerability, it won’t take them long to try the password on every other computer in your network.
Even if the local administrator is disabled network operations — meaning, the local administrator can only be used when directly running in the local machine — this is still a vast security risk. Attackers will use this vulnerability for privilege escalation. They simply log in with any other account remotely, and then “run as” the local administrator to gain administrative privileges.
Another thing to look for is the Group Policy Object (GPO). In some cases, the GPO, which executes whenever anyone logs in to the machine, might contain some script or definition for the local administrator. That definition might just contain the local administrator password that is set on all machines, and since the GPO is readable by everyone, one can simply fetch it. I’ve seen some places where the GPO contains a script that performs a calculation on the machine’s name and MAC address to get a “random” password for the local admin. This means that anyone who knows the machine’s name and MAC address can access it.
Managing the Threat – Without Cutting off Access
The simplest way to avoid problems with the local administrator is to disable it entirely – but that exposes you to other problems, such as when the network goes down.
You could also create a unique password for every machine. This may sound like a lot of work, especially if you have hundreds of endpoints, but Microsoft has fortunately released a tool that will create random local administrator passwords using the GPO, and then store them in Active Directory. Hackers can still steal credentials, but it would take a lot more work to compromise all your endpoints.
Keeping the local administrator a non-threat requires maintenance – no matter the approach you take. The network admin should make sure the passwords are unique and are not reused, or not usable at all. This needs to happen even when deploying machines from a template, or when deploying manually. Backsliding is unfortunately easy – reusing passwords can be so much easier from a maintenance perspective that people forget about the security aspect.
Discovering the problem is a major issue on its own. If you have hundreds or thousands of machines in your network, some might reuse passwords and some might not. Maybe just the machines located on floor 2, maybe just the machines in accounting, or maybe just the executives’ machines. This is most likely the common case, since machines might have been deployed in batches by different people.
Take the Effort Out of Password Management
In the worst-case scenario, local administrator passwords represent a steep technical debt. It’s a problem that’s difficult for an administrator to sniff out, but easy for an attacker to exploit. Even if you put in the work to root out the problem, a single lazy administrator can repeat the cycle by re-imaging your machines incorrectly.
Fortunately, there’s a way of keeping your passwords in check. Preempt performs an automatic device audit as soon as it encounters your network and can highlight issues such as weak and shared passwords. Password management can seem like an unrewarding job but Preempt helps you keep risks under control without adding hours to your day. Check out our platform page to learn more.
This blog post was previously published under the title, “Are Local Administrator Passwords a Security Risk In Your Organization? and was re-edited with current information.
Posted by Avi Kama on July 16, 2019 11:33 AM