Windows local admin accounts are a security problem for every organization because one set of login credentials is typically used by many IT administrators. This can make it difficult or even impossible to implement an identity access management policy because organizations cannot track who is gaining access to what network equipment at any given time. These accounts are everywhere – Windows workstations, servers and even your laptop fleet.
Finding all of the Windows local administrator accounts is a challenge, especially as new machines are rapidly deployed in virtual environments. These accounts are especially important because they are the prime target for an attacker who breaches a workstation. Once the attacker breaks the admin password, he can re-use the password to breach other machines on the network. Therefore, these passwords must to be randomized, changed regularly to prevent attacks, and usage needs to be carefully controlled and attributed to the correct user through audit trails.
Windows server administrators need to use domain admin (DA) accounts to perform standard administrative tasks. Ideally, AD domain admin accounts should only be used when privilege is required (admins should not run as a domain admin for their regular AD account) and they should only be used by a single administrator for accountability. Also, these accounts are highly susceptible to Pass the Hash attacks because their passwords are not frequently changed. Pass the Hash is when an adversary can use the password hash from a previous domain admin logon to emulate that user on other systems. This gives attackers domain admin access across the network. To protect these accounts, privilege management is very important. Access should be controlled and audited and passwords must be changed frequently to prevent Pass the Hash attacks – ideally after each usage of the account.