Local Administrators

It’s daunting to have to secure all the layers of your network and devices, and an important measure toward your defense in-depth strategy is to control the Local Administrator accounts on your servers and computers. The Local Administrator account is built into Windows, and often organizations use the same password for every local admin on all devices (computers and servers). This can be a significant risk because these accounts have elevated privileges and can perform activities such as:

• Install software,
• Disable antivirus,
• Change hardware configurations,
• Encrypt hard drive boot records,
• Disable backup agents,
• Delete or change event logging, and more…

There are multiple solutions to control or restrict local administrator privileges, including disabling all local admins, and/or implementing third party provided endpoint privilege managers. For organizations who want to easily control and change local admin passwords, the Windows LAPS (Local Administrator Password Solution) tool is a free and supported solution. When implemented, Windows LAPS works with either Microsoft Entra or Active Directory to manage local admin account passwords. The primary benefits of Windows LAPS include:

• Dynamic password management – LAPS can automatically update and change passwords at regular intervals.
• Centralized management and control – From a centralized management console, admins can use Windows LAPS to define specific users and groups to have access to local admin passwords.
• Audit trail – Windows LAPS provides forensic data in the event of an incident.
• Compliance – Windows LAPS can help you meet various regulatory requirements.

Overall, organizations should examine their use of all local accounts on Microsoft Entra joined or Windows Server Active Directory-joined devices. You should examine reports on all the local user accounts and their properties and manage the privileges for those accounts to reduce your cybersecurity risks. Managing the Local Administrator account passwords can be one of the first steps towards mitigating the risks and increasing your control.
Some helpful resources include https://learn.microsoft.com/en-us/windows-server/identity/laps/laps-overview and https://learn.microsoft.com/en-us/windows/security/identity-protection/access-control/local-accounts

Authored by: David McCabe, MBA, ISC2 CC