Local Guest Account
-
@scottalanmiller said in Local Guest Account:
So deleting should just be what we do.
Yes, in order to be 100% sure that local elevation does not happen. Unless you are actively monitoring local accounts which most organizations do not and only monitor domain accounts.
-
@IRJ said in Local Guest Account:
@DustinB3403 said in Local Guest Account:
We disable it.
According to Microsoft that is a low risk and if you aren't getting alerts for local user account changes it can pose a much higher risk.
The local admin account is generally changed on a regular basis, but guest accounts are rarely touched. An admin or even a vendor could in turn enable the guest account and give it local admin privileges, and chances are you would never know.
Wait, you allow Vendors access to your servers without monitoring them to see what they're actually doing?
-
@NattNatt said in Local Guest Account:
@IRJ said in Local Guest Account:
@DustinB3403 said in Local Guest Account:
We disable it.
According to Microsoft that is a low risk and if you aren't getting alerts for local user account changes it can pose a much higher risk.
The local admin account is generally changed on a regular basis, but guest accounts are rarely touched. An admin or even a vendor could in turn enable the guest account and give it local admin privileges, and chances are you would never know.
Wait, you allow Vendors access to your servers without monitoring them to see what they're actually doing?
Internal IT poses a risk as well.
-
@IRJ said in Local Guest Account:
@NattNatt said in Local Guest Account:
@IRJ said in Local Guest Account:
@DustinB3403 said in Local Guest Account:
We disable it.
According to Microsoft that is a low risk and if you aren't getting alerts for local user account changes it can pose a much higher risk.
The local admin account is generally changed on a regular basis, but guest accounts are rarely touched. An admin or even a vendor could in turn enable the guest account and give it local admin privileges, and chances are you would never know.
Wait, you allow Vendors access to your servers without monitoring them to see what they're actually doing?
Internal IT poses a risk as well.
Having a computer poses a risk. We should just kill all these risks, and kill all computers.
-
@IRJ said in Local Guest Account:
@NattNatt said in Local Guest Account:
@IRJ said in Local Guest Account:
@DustinB3403 said in Local Guest Account:
We disable it.
According to Microsoft that is a low risk and if you aren't getting alerts for local user account changes it can pose a much higher risk.
The local admin account is generally changed on a regular basis, but guest accounts are rarely touched. An admin or even a vendor could in turn enable the guest account and give it local admin privileges, and chances are you would never know.
Wait, you allow Vendors access to your servers without monitoring them to see what they're actually doing?
Internal IT poses a risk as well.
Depends who you work with...I trust all my team I work with. If I didn't, I wouldn't work with them...
-
@NattNatt said in Local Guest Account:
@IRJ said in Local Guest Account:
@DustinB3403 said in Local Guest Account:
We disable it.
According to Microsoft that is a low risk and if you aren't getting alerts for local user account changes it can pose a much higher risk.
The local admin account is generally changed on a regular basis, but guest accounts are rarely touched. An admin or even a vendor could in turn enable the guest account and give it local admin privileges, and chances are you would never know.
Wait, you allow Vendors access to your servers without monitoring them to see what they're actually doing?
You pay people to do work but stand around watching over their shoulders? That's bad practice. If you don't trust them, why are they on the machine with access to things you don't trust them to touch?
-
@NattNatt said in Local Guest Account:
@IRJ said in Local Guest Account:
@NattNatt said in Local Guest Account:
@IRJ said in Local Guest Account:
@DustinB3403 said in Local Guest Account:
We disable it.
According to Microsoft that is a low risk and if you aren't getting alerts for local user account changes it can pose a much higher risk.
The local admin account is generally changed on a regular basis, but guest accounts are rarely touched. An admin or even a vendor could in turn enable the guest account and give it local admin privileges, and chances are you would never know.
Wait, you allow Vendors access to your servers without monitoring them to see what they're actually doing?
Internal IT poses a risk as well.
Depends who you work with...I trust all my team I work with. If I didn't, I wouldn't work with them...
Right, so why watch your vendor like that, they are part of your team.
-
@scottalanmiller said in Local Guest Account:
@NattNatt said in Local Guest Account:
@IRJ said in Local Guest Account:
@DustinB3403 said in Local Guest Account:
We disable it.
According to Microsoft that is a low risk and if you aren't getting alerts for local user account changes it can pose a much higher risk.
The local admin account is generally changed on a regular basis, but guest accounts are rarely touched. An admin or even a vendor could in turn enable the guest account and give it local admin privileges, and chances are you would never know.
Wait, you allow Vendors access to your servers without monitoring them to see what they're actually doing?
You pay people to do work but stand around watching over their shoulders? That's bad practice. If you don't trust them, why are they on the machine with access to things you don't trust them to touch?
lol - because HVAC company that Target used.
FYI - I'm mostly kidding, but not entirely.
-
@Dashrender said in Local Guest Account:
@scottalanmiller said in Local Guest Account:
@NattNatt said in Local Guest Account:
@IRJ said in Local Guest Account:
@DustinB3403 said in Local Guest Account:
We disable it.
According to Microsoft that is a low risk and if you aren't getting alerts for local user account changes it can pose a much higher risk.
The local admin account is generally changed on a regular basis, but guest accounts are rarely touched. An admin or even a vendor could in turn enable the guest account and give it local admin privileges, and chances are you would never know.
Wait, you allow Vendors access to your servers without monitoring them to see what they're actually doing?
You pay people to do work but stand around watching over their shoulders? That's bad practice. If you don't trust them, why are they on the machine with access to things you don't trust them to touch?
lol - because HVAC company that Target used.
FYI - I'm mostly kidding, but not entirely.
They weren't the problem. The problem was whoever gave them tons and tons more access than they were supposed to have. Why were they given open access to the network? It was the network admin's lack of security that caused the problem.
-
@scottalanmiller said in Local Guest Account:
@NattNatt said in Local Guest Account:
@IRJ said in Local Guest Account:
@NattNatt said in Local Guest Account:
@IRJ said in Local Guest Account:
@DustinB3403 said in Local Guest Account:
We disable it.
According to Microsoft that is a low risk and if you aren't getting alerts for local user account changes it can pose a much higher risk.
The local admin account is generally changed on a regular basis, but guest accounts are rarely touched. An admin or even a vendor could in turn enable the guest account and give it local admin privileges, and chances are you would never know.
Wait, you allow Vendors access to your servers without monitoring them to see what they're actually doing?
Internal IT poses a risk as well.
Depends who you work with...I trust all my team I work with. If I didn't, I wouldn't work with them...
Right, so why watch your vendor like that, they are part of your team.
Not always, we are told by clients to allow some vendors onto their systems, they were never recommended by us, therefore not part of our team, they're an external third party. Not saying sit there and just do that, but we are always on the server at the same time with a recorded session in those instances, can still do other tickets etc in the background, but keep an eye on for opening stuff they shouldn't be doing/have a recording to prove stuff that was done etc
-
@NattNatt said in Local Guest Account:
Not always, we are told by clients to allow some vendors onto their systems, they were never recommended by us, therefore not part of our team,
In that case the client is the system administrator in charge of security and you are peers on the team with the vendor. Still part of the team, and you're not running IT. The IT manager is the one making the security decisions.
-
@NattNatt said in Local Guest Account:
@scottalanmiller said in Local Guest Account:
@NattNatt said in Local Guest Account:
@IRJ said in Local Guest Account:
@NattNatt said in Local Guest Account:
@IRJ said in Local Guest Account:
@DustinB3403 said in Local Guest Account:
We disable it.
According to Microsoft that is a low risk and if you aren't getting alerts for local user account changes it can pose a much higher risk.
The local admin account is generally changed on a regular basis, but guest accounts are rarely touched. An admin or even a vendor could in turn enable the guest account and give it local admin privileges, and chances are you would never know.
Wait, you allow Vendors access to your servers without monitoring them to see what they're actually doing?
Internal IT poses a risk as well.
Depends who you work with...I trust all my team I work with. If I didn't, I wouldn't work with them...
Right, so why watch your vendor like that, they are part of your team.
Not always, we are told by clients to allow some vendors onto their systems, they were never recommended by us, therefore not part of our team, they're an external third party. Not saying sit there and just do that, but we are always on the server at the same time with a recorded session in those instances, can still do other tickets etc in the background, but keep an eye on for opening stuff they shouldn't be doing/have a recording to prove stuff that was done etc
You can give yourself a local admin rights in about 60 seconds through the GUI. If you script it, you are talking about 3-5 seconds. If you are going to let someone on your system, you better be auditing them.
-
@IRJ said in Local Guest Account:
@NattNatt said in Local Guest Account:
@scottalanmiller said in Local Guest Account:
@NattNatt said in Local Guest Account:
@IRJ said in Local Guest Account:
@NattNatt said in Local Guest Account:
@IRJ said in Local Guest Account:
@DustinB3403 said in Local Guest Account:
We disable it.
According to Microsoft that is a low risk and if you aren't getting alerts for local user account changes it can pose a much higher risk.
The local admin account is generally changed on a regular basis, but guest accounts are rarely touched. An admin or even a vendor could in turn enable the guest account and give it local admin privileges, and chances are you would never know.
Wait, you allow Vendors access to your servers without monitoring them to see what they're actually doing?
Internal IT poses a risk as well.
Depends who you work with...I trust all my team I work with. If I didn't, I wouldn't work with them...
Right, so why watch your vendor like that, they are part of your team.
Not always, we are told by clients to allow some vendors onto their systems, they were never recommended by us, therefore not part of our team, they're an external third party. Not saying sit there and just do that, but we are always on the server at the same time with a recorded session in those instances, can still do other tickets etc in the background, but keep an eye on for opening stuff they shouldn't be doing/have a recording to prove stuff that was done etc
You can give yourself a local admin rights in about 60 seconds through the GUI. If you script it, you are talking about 3-5 seconds. If you are going to let someone on your system, you better be auditing them.
That was my point, we do that, we record everything as well to make sure we don't miss anything/can play back and see exactly what was done, covering ourselves in case something they do breaks the system//creates a backdoor//loophole like this
