Local administrator access is something that is present on nearly every information system around the globe. We all have the best intentions to use the local administrator for only the initial setup of the device, but many of us continue to use the accounts for various reasons. The main reason that this is a problem is that we lose central accountability and control of authorizations and authentications. This opens our systems up to sophisticated attacks that often fall completely under the radar like local privilege escalations. Take for instance vulnerabilities that exist today in the Windows operating system. Symantec reports Microsoft Windows is prone to a local privilege-escalation vulnerability that occurs in the windows kernel. The technologies affected range from the windows vista operating system all the way through windows 10 and also affect all Windows Server operating systems from 2008 through 2012 R2. This is a prime example of why local administrators should be tightly controlled or totally disabled whenever possible.
Windows is not the only operating system prone to local privileged escalations. Linux kernel vulnerabilities have been identified in the last few months related to a reference leaks in the keyrings facility. The Linux Kernel affected is any version 3.8 and higher. This information is coming straight from the Red Hat Security team and had been patched in a security update. The point to keep in mind is that local accounts are consistently at risk due to bugs and zero-day exploits that are constantly surfacing in operating systems on a weekly basis. The best way to help control the potential damage is to use the technology available from STEALTHbits technologies to:
- Identify local administrators and the access they have
- Analyze the access that has been granted, if the access is still necessary, and if it can be removed
- Remediate any open access points, excessive permissions, or un-needed elevated privileges
- Report the before and after of the discovered account, access, and permissions
The key takeaway here is that knowing where local administrators have access is the first step in understanding what level of risk your organization is willing to accept.
Don’t miss a post! Subscribe to The Insider Threat Security Blog here:
Brad Bussie is an award winning fifteen year veteran of the information security industry. He holds an undergraduate degree in information systems security and an MBA in technology management. Brad possesses premier certifications from multiple vendors, including the CISSP from ISC2. He has a deep background architecting solutions for identity management, governance, recovery, migration, audit, and compliance. Brad has spoken at industry events around the globe and has helped commercial, federal, intelligence, and DoD customers solve complex security issues.