Desktop lockdown and manageability means different things to different organizations. Depending upon who you talk to within an organization, you will hear practices like; applying patches in a timely manner, applying and enforcing group policies, installing endpoint security solutions, and user education. Each of these is correct to a certain extent, however, they leave out the most “un-obvious” Security Risk that almost every organization has, and a risk that that is rarely accounted for: The local Administrator account!
Every machine has a local Administrator account and group that is created at the time the system is built. In many cases, the account name and password is usually the same on every system, in fact, it is a common practice to assign the same local administrator name and password to every workstation in a Window’s domain. This is especially true for environments that leverage any form of “image distribution” to provision their systems. The practice of assigning the same local administrator name and password to every workstation in a domain is arguably the largest security hole any company can have. If someone gains access to this common account’s password they would have full administrator access to all other machines in the organization with that same account. (Remember – all of the systems very likely have the same Administrative password).
Cracking the local administrator common password can be done in seconds using rainbow tables and a boot device. If all workstations and in some cases, servers, use the same built-in administrator account and password, once a single machine has been compromised, an ordinary user will now have unfettered access to all systems.
Local Security Solution from Arellia provides centralized management that quickly and easily provisions and manages local administrative users and groups within the environment. Local Security Solution’s automated policy enforcement of group membership and randomization of administrative passwords across systems secures the corporate network from malicious attacks. Local password management eradicates stale and duplicate passwords, maintains authorized local accounts, and randomizes passwords on each desktop to block anonymous data access and the ability to bypass access controls. Password randomization is important to having a secure environment after provisioning users and groups. All passwords on the client are encrypted using 128 bit encryption. This encryption is maintained throughout all client / server communications as well as during storage of the password in the database. The only time passwords are exposed in clear text is during the display of the password in the console using the “Show Managed Password” command. All “Show Managed Password” command requests are logged in the database for notification and reporting purposes.
LSS 90 Second Tour
