Local administrator password has always been a cause of a headache for security professionals. There hasn’t been a good and free way to manage the password on a large scale and most organizations ended up using the same password on all desktops or even servers. This introduces a number of vulnerabilities, such as:
- All IT Staff know the password
- The password is never changed
- The password inevitably becomes known to the users and various 3rd parties
- Machines are exposed to pass-the-hash attacks
If an attacker, a malware or an evil insider gains access to a single machine currently logged on under the local admin account they will be able to access all machines by executing a script or using built-in management tools. Moreover, compromise of a single machine will allow an attacker to grab a password hash and use it to access other computers.
The local administrator password can be managed using Group Policy Preferences as detailed in the following article:
While this satisfies most compliance requirements (they generally only require that passwords are changed at a set interval), this still leaves all computers with a single password. Furthermore, Group Policy Preferences store encrypted passwords in the SYSVOL folder and the encryption key is published on MSDN:
Clear text passwords can be retrieved from Group Policy Preferences using a PowerShell script as detailed in the article below:
Summarizing, GPO Preference is not a good solution.
As to other solutions, there is one from SANS. I haven’t explored it but it does look comprehensive: