Is local admin access a danger to a properly set-up network?

Local Admin access means that it is easier for the attacker to establish persistent control of the host, to install software and modify system settings, and to take actions like sniffing the network that may allow it to move laterally onto other systems.

So, yes, it is a danger to the network, in that it provides the attacker with more stable access to a more capable platform for lateral movement.


Danger is a bit of a strong word. I would say that local admin access presents additional network risks over non-admin access.

Admin access allows the user to run a packet sniffer in promiscuous mode. That can present additional risks if the network in question is vulnerable to MiTM attacks, or other unencrypted, sensitive information goes across the network.

You have to understand this risk in the context of users normally having physical access to the network. A malicious insider with physical access to the network cable could just simply plug their own device into the network which they have root/admin access too, and sniff packets on and perform the same attacks without root access on their own machine.


It is far more danger than most people guess. When we debated how much someone could do from Local Admin (local account, not domain account) on one domain-joined machine, I said "Would you like to find out?" Nobody did. Turned out they wanted to debate the theory but not put it to the test.

I argued on the other question what are you defending against. Well here's the thing. The next time anybody else connects to the machine in question, the local admin can impersonate that user. If it was a network share access, the impersonation can be only used for a few minutes. But a few seconds of domain admin is plenty to create a service on a network share on the domain controller.

In the old days it was stupid worse. The machine can MITM-attack anybody on the network not specifically defended against arp-spoofing. Until recently, this was the end game, but MS finally got their act together and closed SMB against MITM by fixing the auth package and actually making a backwards-incompatible change so that it stays fixed.

But not permitting the developer's VLAN access to the internet is dumb. Perhaps the best thing to do is let them have admin on their machines or VMs but simply not join them to the domain.

Yet this almost never comes up. The threat of being fired and prosecuted keeps the developers from going all-out like this, and for some reason internet-bourne malware doesn't use this stuff. So again, what are you really defending against? The developers probably can take over anyway. You've got to install version updates on production sooner or later.

Tags:

Windows

Windows Server

Network Access Control

Related

How do security professionals measure their success? Why does a deauth attack work on WPA2 despite encryption? What are some instant red flags when scanning an network with nmap Why do Chrome and Firefox report a different server certificate and issuer than OpenSSL? Should I allow communication on public networks? Why might I want to remove the wlwmanifest.xml file in WordPress? Does it improve security to use obscure port numbers? What happened with Kazakhstan's Root CA MITM policy? Is it common to allow local desktop and/or active directory admin access and rights for developers in organizations? Should I encrypt my entire hard drive, or only a partition? Microsoft said UAC is not a security barrier. But in what cases? Recent ESLint hack or how can we protect ourselves from installing malicious npm packages?

Recent Posts