3

By now I would hope that, unless there were extenuating circumstances, all users (including administrative users) use a low-level account for their daily activities and raise their permissions to perform administrative tasks.

Obviously domain-based tasks need to utilize a domain account, but software & driver installation can be done via local admin.

In thinking in terms of preventing lateral movement through a network, is elevating to a domain or local account the safest option?

DKNUCKLES
  • 9,237
  • 2
  • 37
  • 47

1 Answers1

1

Risk

Two attack vectors to keep in mind here:

  • If an attacker compromises the Local Admin account and it uses a common password with other systems in the environment -it's a security risk because of credential sharing.
  • If a user elevates to a Domain Admin account, his credentials are available in plaintext (during his logged on session) and available in a cached form thereafter. Note: The cached credentials may or may not be available, but they are enabled by default in Windows and store 10 of the last logged-in users. So the security risk here is that if DA credentials are compromised the lateral movement involves the entire domain.

Solution

You know the saying about opinions... (insert cliché here), but here is my recommendation to clients.

  • Randomize the local admin password for all systems in the domain (research Microsoft LAPS for more info), and even systems not in the domain.
  • Use the local admin for system-level changes (patching, updating, installing, etc)
  • Set Domain Admin accounts to only be able to logon to Domain Controllers to reduce the risk of leaving credentials in the environment.
  • Optionally, create a "Power IT User" for admin tasks on servers within the environment that is not a domain admin, if users balk about needing to login as a local admin every time. Be sure to disable cached credentials, and make sure users logoff when finished.
HashHazard
  • 5,105
  • 1
  • 17
  • 29