Skip to main content

Resources

The Danger of Local Administrative Privileges

The Danger of Local Administrative Privileges

Convenience vs. Security

Users enjoy the freedom of having local administrative rights on their workstations. They can add/remove programs, install printers, etc. without requiring assistance from the IT department. In a small organization with limited IT resources, granting users local admin rights allows IT to focus on more important projects. However, convenience often comes at a cost.

 

Abusing Local Admin Privileges

If an attacker compromises a user account with local admin privileges, it could spell disaster for an organization. Would you want to give hackers the ability to do any of these things?

  • Disable endpoint antivirus
  • Install malicious software
  • Encrypt data with ransomware
  • Move laterally within a network
  • Generally weaponize the system against the organization


During a recent internal penetration test, our network security team demonstrated how an attacker could leverage an account with local admin privileges to take over a domain. Using various attacks, we were able to compromise a regular user account and password. Using a tool named CrackMapExec, we then determined the stolen account had local admin rights on two devices on the network.

 

Local Admin Access

 

The same tool allowed us to download local password hashes of local accounts on those devices.

 

Local Admin Access

 

Attackers don’t even have to crack these encrypted hashes in order to use them. CrackMapExec allows attackers to pass local account hashes to other devices to determine what access levels they may have.


Here’s the worst part: One of the two devices that our compromised account could access with local admin rights was the client’s Primary Domain Controller. Accessing this server with the local admin account meant we had found the keys to the kingdom, effectively giving us complete administrative access to ALL domain resources.

 

Benefits of Removing Local Admin Rights

Removing local admin access might not be well received by users. However, doing so provides many benefits to an organization’s security posture:

  • Lowers risk of malware infections
  • Ensures antivirus and other protections remain active
  • Reduces an attacker’s ability to exploit vulnerabilities

 

Special Circumstances

Most employees do not need local admin access to perform their daily job duties. However, some users may occasionally require higher privileges to complete a task. For these situations, it is recommended to create a separate account with admin-level access. The employee should only use the privileged account when necessary to complete their work.


Another alternative is to discover what privileges to what folders, executables, and registry keys the legacy software preventing the organization from removing local admin privileges is requiring. This can be done with Diskmon from Sysinternals. The user account can then be customized to have admin access to just the required items, removing the business need for local admin privileges.

 

Lock it Down

Granting users local admin access was a common practice in the past. However, modern security threats require IT professionals to move beyond the mindset of “this is how we’ve always done it.” The risks associated with local admin access far outweigh the benefit of convenience. Remove local admin access from your users before hackers take advantage of this unsafe, outdated practice.

 


Written by: Patrick Gillespie, Senior Network Security Engineer and Regional Director
SBS CyberSecurity


 

SBS Resources: 
SBS CyberSecurity has been helping organizations identify and understand cybersecurity risks to make more informed business decisions since 2004. If your organization is looking to better understand your cyber risk; build, maintain, or test your cybersecurity program; and make smarter, more informed cybersecurity business decisions, SBS can help.

  • {Service} Network Security: When it comes to network security, knowledge is power. Understanding the weaknesses found in your network and remediating these flaws keeps the power in your hands, and not in the hands of cybercriminals. 
  • {Blog} Indicators of CompromiseIf someone was in your network, would you know? If someone was sending your data out the back door of your network, could you tell? To answer these questions, you must first understand your networking environment and what "normal" in that environment looks like. How do you start to figure out what "normal" looks like on your network? Here's a start. 

 

Related Certifications:

Join our growing community of financial service professionals showing their commitment to strong cybersecurity with a cyber-specific certification through the SBS Institute. Click here to view a full list of certifications.

Certified Banking Vulnerability Assessor  


Hacker Hour webinars are a series of free webinars hosted by SBS CyberSecurity. Unlike paid webinars, Hacker Hours are aimed to meet on a monthly basis to discuss cybersecurity issues and trends in an open format. Attendees are encouraged to join the conversation and get their questions answered. SBS will also offer products and services to help financial institutions with these specific issues.

Posted: Tuesday, April 27, 2021
Categories: Blog