Windows Security: Best Practices and Tricks to Protect Local Admin Passwords at a Large Scale

  • Article

How to secure local admin passwords, for instance on machines that are deployed using an image technology?

First of all, 2 mandatory steps:

  • Make sure all applicable security fixes are being deployed
  • Have an inventory, updated on a regular basis, of the local admin accounts. 

Disable the local admin account 

First recommendation is to disable the local admin account, as long as the concerned machine is domain-joined, and that offline sessions (meaning opening a session while not having AD connectivity) are allowed.

Why doing so? because if one machine gets compromised, and the local admin password is also hacked/compromised, while it's being shared among other machines, then further compromising the IT may be much easier, from the attacker side. This is a concept of zone (local, 1 machine) compromise, much better than global compromise. 

Important note: for the current version of Windows you might not be able to delete the default admin account... or it might be hidden. More info:

Docs: Local Accounts

Rename the built-in local administrator account

If that first recommendation is not doable, the second advice is to rename the built-in local administrator account, to something that the entity can easily guess. This will make a lot more complex numerous attacks, including from malware, in which the local admin username is somewhat hardcoded into the tool/script/malware, and then changing the default local admin username to something else would block such an attack. Once again, this is not the most efficient solution.

Important note: please keep in mind that the first and default admin account is tagged with a default security ID, which is fairly easy to find. So changing the name of the default admin, is security by obscurity and not helping against persistent hackers...

More information here: 

Docs: Local Accounts

"You can rename the Administrator account. However, a renamed Administrator account continues to use the same automatically assigned security identifier (SID), which can be discovered by malicious users. For more information about how to rename or disable a user account, see Disable or activate a local user account and Rename a local user account."

Best option: Unique local admin password

Now, the third and most operational recommendation would be to have a unique local admin password, random and/or based on something that is unique to the machine itself.

The idea is to take something linked to the machine, like Mac Address, HDD's serial number, CPU's serial number, disk volume's ID, etc, as a parameter. Then, build a password that will be unique for each machine. The best would be also to add a parameter linked to the date, so that those local admin passwords could be changed in time (this is regular best practice). CSS Security recommends the password length to be at least 16 characters.

Obviously, the algorithm should be known to helpdesk and support teams, so that when they face a machine to be troubleshot, they are able to rebuild the password using the same algorithm, and setting as an input the "unique" value they could manually retrieve. Last but not least, if you plan on deploying such a script through GPO, it will most likely be stored in Netlogon (or GPO folder), then accessible to anybody, we recommend you to obfuscate the source code of the script.

Now, even more convenient, you could also consider using the Microsoft LAPS (free) solution to generate unique passwords (but still centrally managed!) for local admin accounts:  Download - Local Administrator Password Solution (LAPS)

Additional security measures

References