Administrator accounts pose a significant risk to enterprise security if they fall into the wrong hands. In this video, Mike Chapple explains best practices around local administrator account security.
- [Instructor] Now, let's see what we can learn from the Maersk breach. We can draw one of this breach's most important lessons from one of the two mechanisms used by NotPetya to spread from system to system, the Mimikatz technique. Mimikatz reaches into the memory of an infected system and searches for information on any accounts that have recently accessed the system. If an administrator recently logged in to the system, memory will contain that account's password, and the user can then use that password to attempt access to other systems on the network.
There are two major risks posed by Mimikatz. First, if a domain administrator logs on to a workstation, and that workstation is later compromised, the attacker may be able to use Mimikatz to retrieve that domain administrator's password. This is, of course, the golden ticket. A domain administrator account has superuser privileges across the network, and a compromised domain administrator account is one of the worst things that can happen in cybersecurity.
However, that's not the only way that Mimikatz can pose a significant danger. Each Windows system also has a local administrator account that may be used to manage that system. This account also has powerful privileges, but they are limited to that machine. The risk comes when organizations reuse the same local administrator password across multiple systems. This is dangerous, but it is also a common practice. As organizations seek to strengthen their management of administrator accounts, they should follow four precautions designed to add significant security to these accounts.
First, they should take action to directly combat the threats posed by Mimikatz that we just discussed. Domain administrators should never use their domain administrator accounts to log on to workstations. Anyone who has domain administrator rights should have two separate accounts: a domain administrator account and a normal user account. They should only use the domain administrator account on secure servers and only when they need to exercise domain administrator privileges.
Otherwise, they should use their normal user account. This reduces the risk that the domain administrator account will be compromised by having the password stored in memory, where it might be read by Mimikatz. Second, organizations should use different local administrator passwords on each system in the organization. The reuse of any type of passwords increases the potential impact that an attacker could have if they recover that password. So, IT professionals should seek to prevent reuse as much as possible.
Third, organizations should secure administrative accounts with multifactor authentication. Adding an extra authentication step prevents someone with knowledge of a password from accessing a system unless they are able to somehow compromise the alternate factor. Finally, organizations should consider the use of a privileged account management tool. These specialized tools apply strict monitoring and access control to administrative accounts, and they remove the need for anyone to know administrative passwords.
These mechanisms can strengthen security and make a domain more robust against Mimikatz-style attacks.