Managing The Local Administrator Password - Part 1 - The Issue

Local administrator password has always been a cause of a headache for security professionals. There hasn’t been a good and free way to manage the password on a large scale and most organizations ended up using the same password on all desktops or even servers. This introduces a number of vulnerabilities, such as:

  • All IT Staff know the password
  • The password is never changed
  • The password inevitably becomes known to the users and various 3rd parties
  • Machines are exposed to pass-the-hash attacks 

If an attacker, a malware or an evil insider gains access to a single machine currently logged on under the local admin account they will be able to access all machines by executing a script or using built-in management tools. Moreover, compromise of a single machine will allow an attacker to grab a password hash and use it to access other computers.

The local administrator password can be managed using Group Policy Preferences as detailed in the following article: 


While this satisfies most compliance requirements (they generally only require that passwords are changed at a set interval), this still leaves all computers with a single password. Furthermore, Group Policy Preferences store encrypted passwords in the SYSVOL folder and the encryption key is published on MSDN:


Clear text passwords can be retrieved from Group Policy Preferences using a PowerShell script as detailed in the article below:


Summarizing, GPO Preference is not a good solution.

As to other solutions, there is one from SANS. I haven’t explored it but it does look comprehensive:


No comments:

Post a Comment