Local accounts with administrator privileges enable users to carry out software installations, change certain system settings and perform many other tasks without relying on help desk technicians and system administrators. This leads to the pertinent question: Is there a way to eliminate local admin accounts, overcome these hurdles and make the process seamless? Employees might have to wait for permissions resulting in delays, productivity loss, and frustrations. But this approach leads to the introduction of the ‘request-approval’ concept, which is inefficient. One of the most effective approaches to reducing risks is eliminating the local admin accounts altogether and making everyone a standard user.
In this part, let us analyze the pros and cons of eliminating local admin rights altogether. We had both so we needed two scripts.In the previous two parts ( part 1 and part 2), we dealt with the importance of local admin accounts, the associated security risks, the need for managing them properly, and the risk mitigation strategies. What differs in the two versions are, if the servers are running 2016 or later, or 2012R2 or earlier. Both can however also be used locally on the servers. Simple enough if done on one server, via the Windows GUI…but given the circumstanses, having about 100 Windows servers, we decided to do it using PowerShell and to run the script from the Azure portals ‘Run command’ feature (Recommended).
Set a new ‘impossible’ password that nobody knows (45chrs).Delete all accounts except the default administrator (Disable default on 2016).To mitigate this, we planned to do the following: In a true scenario, we got from a pentest report, that to many of our servers had local active accounts that were local administrators.
0 kommentar(er)
