Local administrator accounts are commonly configured with the same password across all devices in corporate environments, making it easy for attackers to own every device if the password is compromised. Microsoft’s security baseline templates block remote use of local accounts because until Local Administrator Password Solution (LAPS) was released in 2015, there was no mechanism for securely managing local administrator accounts. LAPS is a free tool from Microsoft that randomizes local admin passwords every 30 days and stores them securely in Active Directory for each computer account.
The risk posed by local administrator accounts can be managed by manually setting a random password on each device and then recording it in a spreadsheet. But that doesn’t address the issue of changing passwords periodically and requires you to make sure the spreadsheet isn’t accessed by malicious or unauthorized users. LAPS solves these problems, ensuring that local administrator accounts remain secure and can’t be used by hackers to laterally move around your network.
For more information on using LAPS, see Secure Local Administrator Accounts with the Local Administrator Password Solution (LAPS) Tool on Petri. Microsoft’s security baseline templates for Windows and Windows Server are available as part of the Security Compliance Toolkit.
Despite the convenience LAPS provides for managing local admin accounts, IT helpdesk staff often use a domain account that is granted administrator rights on each workstation in the domain. While this account doesn’t need to be a privileged domain account, i.e. not a member of Domain Admins or other privileged AD group, the account could still be used to compromise every workstation in the domain.
Local Accounts for Remote Administration
In a blog post by Aaron Margosis, Microsoft recommends that organizations consider unblocking remote use of local administrator accounts if LAPS or another password management solution in place, and if you want to use local accounts for remote administration. Otherwise you should continue to block remote use of local accounts.
Margosis says that if a helpdesk user wants to remotely access a workstation, it is more secure to retrieve the local administrator password from AD than to use a domain account. If the local admin password is compromised, any damage is limited to that device. Some remote access tools expose credentials when logging in to remote systems, so IT helpdesk account credentials could be compromised.
If you decide to unblock remote use of local accounts, there are three Group Policy settings that need to be changed:
- Deny access to this computer from the network
- Deny log on through Remote Desktop Services
- Apply UAC restrictions to local accounts on network logon
The first two settings can be found under Windows Settings\Security Settings\Local Policies\User Rights Assignment and should be set to empty. The third is a custom setting that’s part of the baseline templates (SecGuide.admx). It can be found under Administrative Templates\MS Security Guide and should be set to Disabled.
As you can see, there are some definite advantages to using LAPS-managed local administrator accounts for remote access. The only drawbacks that I can see are that it requires some administrative effort for helpdesk staff to retrieve local admin passwords from AD every time they need to log in, as opposed to getting quick access with a domain account. Secondly, using an unnamed account to log in means we don’t have a record of who accessed the device with administrative privileges. You can work around this by enabling auditing of access to LAPS passwords in AD and resetting passwords after each use. Both these tasks can be accomplished using the PowerShell Set-AdmPwdAuditing and Reset-AdmPwdPassword cmdlets respectively.