Dangerous local administrator group

In many enterprises around the globe, the organization policy is to add end users to the local Administrators group on their assigned PC. The reason for that is most likely legacy applications which require administrative privileges in order to run correctly.

These organizations are most likely to consume extra resources in the Help desk department and would probably have to deal with viruses and licensing issues since users can install any application they like.

However, the greatest risk in setting the end users as local administrators is information security. Here is a little scenario that demonstrates how easy it is to get hold of sensitive information when users are set as local administrators:

Imagine yourself an employee that was “planned” in your organization by a business competitor and was assigned the task of retrieving documents and Emails which belongs to the CFO. This employee has been accepted to work in a legitimate way and was given a user account and a workstation on which he is defined as local administrator.

Now, this employee performs the following simple tasks:

  • Creates a local account named ‘Whatever’.
  • Make ‘Whatever’ a member of the local Administrators group.
  • Login using the new account.
  • Installs a Key-Logger application.
  • Deletes the account and empty the security log.

At this point, all he has to do is create some sort of problem in his workstation, open a support call, shut down the computer and go home.

Once the technician arrives to the workstation, he will log on using his account (which is probably defined as Administrator on all workstations). The key-logger will log his password and now our dear spy has Administrator privileges on all workstations in the organization.

From now on, the malicious user can install a key logger on any workstation he wants and retrieve the credentials of almost every user in the organization.

As you can see, there is no need for some master hacker that will break through your firewalls in order to perform this simple task.

The obvious cure to that weakness is to remove end users from the local Administrators group. It does sound pretty simple, it’s a challenge

Be the first to comment

Leave a Reply

Your email address will not be published.