You are likely aware that every Windows workstation has a built-in local administrator account. You may not be aware, however, of how common and easy it is for an attacker to obtain the credentials for that account from a single compromised workstation and use the account as a stepping stone to begin taking control of a Windows network. This is a common practice for us as penetration testers. As attackers, we will copy the Security Account Manager (SAM) database, which is a database file that contains usernames and password hashes for the local machine. We can then either obtain the clear-text administrator password from a password hash by performing password cracking or utilize the hash to log in without cracking by using a pass-the-hash attack. If the same local administrator account exists on other targeted machines, the attacker will leverage the stolen credentials to attempt to connect to other workstations and servers locally.
Once the attacker has gained local administrative access to a number of workstations and servers, they’ll often steal domain administrator passwords and other privileged domain passwords through keylogging and memory scraping attacks. These are often the earliest stages of the network-wide ransomware/cyber extortion attacks that you commonly see in the news today.
Here are two effective ways to lock down your Windows environment from a local administrator leak.
Deny Network Logon
The ability to deny local accounts to perform network logons is a great way to lockdown the network. To change this setting, navigate to the Group Policy path Computer configurations -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignments and then configure the policy named Deny access to this computer from the network to a new value of Guests, Local account and member of Administrators group.
For more information, take a look at Microsoft’s Blocking Remote Use of Local Accounts blog.
Randomize Local Administrator Passwords
During penetration tests, we commonly see the same passwords re-used throughout the network. Manually creating and managing unique random passwords for each system can quickly become an internal headache. Luckily there are solutions to automate this process. Consider looking into a commercial privileged password management solution, or use the Local Administrator Password Solution (LAPS), which is free from Microsoft. For more information, see https://blogs.msdn.microsoft.com/laps/.
Logging and Alerting
The ability to log and alert offers great insight into what is happening on the network. The following Group Policy will enable logon events: Computer configurations -> Windows Settings -> Security Settings -> Local Policies -> Audit Policy -> Logon/Logoff.
Once configured, EventID 528 will be logged. Sending this to an event log correlator to look for the local administrator account login is a powerful detection tool.
Following these recommendations, you should be able to impede and detect an attacker who has compromised a local administrator account. Adhering to these principles of layered defense can help you detect and deter an attacker, allowing you to remediate and recover more quickly. Should your organization require assistance fortifying or testing its defenses, don’t hesitate to reach out to Sikich’s team of cybersecurity experts.