On every Windows machine, you will find there is a local administrator user, usually descriptively named “Administrator.” This user exists by default. It is there because the machine requires at least one administrator when it is first installed. For the most part, machines in an organization are managed by the domain administrator (once the machine is added to the domain, the domain administrator is also an administrator for that machine), and the local administrator is used in times of “crisis” - when there’s no network access, but physical access is available.
Although the new default for Windows 10 is to have the local administrator user disabled, this is often not the case. On many organization machines, the local administrator is enabled for IT purposes (for the “crisis” scenario). This typically happens when machines are deployed using some sort of prepared template, which also determines the local administrator’s password.
Here is the important point to note about this: If not changed, all the machines in the organization will have the same local administrator password!
Why is this a problem?
An attacker, or even a local malicious user, browsing around on a workstation they have administrator access to might be able to discover their own local administrator password (using the local SAM accounts, and some password dumping tools like mimikatz, impacket or whatever). Once they know this password, they can attempt to access other machines in the network, assuming that the local administrator on the other machines has the same password - this simple approach actually has a great chance of working.
This, of course, is a major security issue. I’ve seen some places where the local administrator was not fully disabled, but was disabled for network operations - meaning, the local administrator can only be used when directly running in the local machine, and not remotely. Unfortunately this is still a major security issue, because it can be used for privilege escalation. They simply log in with any other account remotely, and then “run as” the local administrator to gain administrative privileges.
Another thing to look for is the Group Policy Object (GPO). In some cases, the GPO, which executes whenever anyone logs in to the machine, might contain some script or definition for the local administrator. That definition might just contain the local administrator password that is set on all machines, and since the GPO is readable by everyone, one can simply fetch it. I’ve seen some places where the GPO contains a script that performs a calculation on the machine’s name and MAC address to get a “random” password for the local admin. This means that anyone who knows the machine’s name and MAC address can access it.
So how can we manage this threat?
A good solution would be to simply disable the local administrator on all of the network’s machines. This approach solves the security problem completely, but leaves no room for IT to handle crisis situations.
Another approach is to set a real random and unique password for each machine. This allows for IT usages of the passwords, but will not allow an attacker to reuse the credentials (assuming IT knows all of the passwords). Microsoft recently released a sample tool that does just that - using the GPO, it will create a random password for the local administrator, and will securely store that password in the AD record for that machine.
Whatever approach is used, it’s important to note that keeping the local administrator a non-threat requires maintenance. The network admin should make sure the passwords are unique and are not reused, or not usable at all. This needs to happen even when deploying machines from a template, or when deploying manually. Having all unique passwords is a delicate state - it is much easier to have the same password everywhere, and it can easily happen if attention is not kept.
Discovering the problem is major issue on its own - if you have hundreds, or thousands of machines in your network, some might have been deployed such that they share the local administrator password. Maybe just the machines located on floor 2, maybe just the machines in accounting or maybe just the executives machines. This is most likely the common case, since machines might have been deployed in batch, by different people, etc.
In Summary, the local administrator password can cause a major security issue in any network. A best practice to follow would be to have unique and random passwords per machine and distributed in a secure manner that still allows to IT to know all of the passwords. Finally, after that is done, regular maintenance is required, to make sure local passwords were not reset / defaulted.To learn more about how Preempt can help you with detecting weak and shared passwords, check out our product page.