Local Administrator Accounts Security
-
On the various server VM's the customer wants a local admin account in addition to the domain admin account.
For security though should we disable the administrator account and create a different named local account with admin privileges instead?
Are we gaining a lot of security by doing this?
Thinking of using LAPS for these also.
-
I believe, as a general rule you want to disable any account that is Admin or Administrator. They are to easy to attack.
Can you have Administrative accounts? yes - just don't use Admin or Administrator, anything but. In my current environment, it's still not advised, but they use First(initial)admin (ie: GAdmin). Again, I wouldn't use anything with Admin in it.
Something better was what the State used was (code)-UserName; in their case it was EAS-UserName, whereas UserName was the normal 'user' account. No, don't know what EAS stands for,.. maybe something along the lines of Elevated Administrative Security (shrug)...
And local accounts can be forgotten about which causes a different set of issues.
-
In Windows the original Administrator account is apparently a pretty special account (so I've read).
To that end, the advice I've seen is to rename that Admin account to something else. The bad thing about that - if it still holds true - the Administrators account always has the same SAM, so not sure how helpful this is.
-
@eleceng said in Local Administrator Accounts Security:
On the various server VM's the customer wants a local admin account in addition to the domain admin account.
For security though should we disable the administrator account and create a different named local account with admin privileges instead?
Are we gaining a lot of security by doing this?
Thinking of using LAPS for these also.
Security through obscurity. Yeah, no. You're better off implementing some form of 2FA.
-
@eleceng said in Local Administrator Accounts Security:
For security though should we disable the administrator account and create a different named local account with admin privileges instead?
Not a bad idea. Good way to go.
-
@marcinozga said in Local Administrator Accounts Security:
@eleceng said in Local Administrator Accounts Security:
On the various server VM's the customer wants a local admin account in addition to the domain admin account.
For security though should we disable the administrator account and create a different named local account with admin privileges instead?
Are we gaining a lot of security by doing this?
Thinking of using LAPS for these also.
Security through obscurity. Yeah, no. You're better off implementing some form of 2FA.
For sure 2FA goes much farther.
-
@eleceng said in Local Administrator Accounts Security:
should we disable the administrator account and create a different named local account with admin privileges instead
@eleceng said in Local Administrator Accounts Security:
Are we gaining a lot of security by doing this?
Not likely, the fact the VM is joined to an on-prem AD domain means that it's very likely you've technically already lost any and all security to the device/VM.
The only gain here is that you're preventing some random person who's trying to authenticate to the system as a the local Administrator from automatically knowing which username to log in with at that moment. But that is such a small aspect to the actual security of the system you can basically say that no, you are not technically gaining any security by doing that.
-
@eleceng said in Local Administrator Accounts Security:
On the various server VM's the customer wants a local admin account in addition to the domain admin account.
For security though should we disable the administrator account and create a different named local account with admin privileges instead?
Are we gaining a lot of security by doing this?
Thinking of using LAPS for these also.
Yup. Use LAPS. It's excellent.
-
@gjacobse we did similar at a previous job. But we used ADM.
-
@eleceng Just make sure that you have an account that is not the built-in Administrator user as the only Domain admin and the GPO Policy applied only to certain OUs and not the domain root. Otherwise you will have a problem in your hands.
