The ‘Local Administrator’ account on a Windows workstation is one of the most scariest of all accounts. Not ‘scary’ as in it has more privileges than other accounts (Domain Administrator, NT Authority\System etc.) But ‘scary’ in the fact it is often overlooked by System Administrators as being a huge security risk. The ‘risk’ of this account is that more often than not, every computer in a given network will have the same local administrator account. (Usually due to standardisation and SOE imaging throughout the company)
“So what? The local admin account on our network won’t get you any network resources. Every user’s profile on the domain is stored on the server, nothing is local and everything has correct access permissions. Even If an attacker got this password and logged in to a machine, they can’t do anything (and good luck installing a keylogger or some malware – we have Anti Virus!” – I hear some of you System Admins saying.
Not true. Not true at all. The local admin account, if an attacker can get it, is a very valuable and damaging weapon. In this post I will point out ways that an attacker can not only obtain the local admin account/password for a given network environment, but how they use it to penetrate your entire Windows Domain, gaining domain credentials along the way. (I previously wrote a post about a disgruntled IT employee using local admin to pilfer his bosses bank account)