Disabling Local Administrators through GPO on Server 2008

One of the common techniques I generally use during a penetration test is often referred to as pivoting or leap frogging. Essentially, when you compromise one machine, the information on the single server often yields a second or multiple compromises on an infrastructure. For example, say I compromise a member DC within a domain and dump the SAM database. The local administrator account hashes are extracted and can be used on almost any server within the domain at that point. Other common techniques revolve around token/kerberos impersonation and leveraging other techniques for gaining access to other systems. I decided that we no longer needed the local administrator accounts on any of our systems and wanted to go ahead and disable that. There is a group policy setting to change the local administrator account name as well as disable it. This works like a champ on Server 2003 however does not on 2008. A new requirement on server 2008 has to have a second administrator account active on the machine in order for the default account to be disabled. This completely defeats the purpose of what we’re trying to accomplish here. Luckily theres a somewhat less known way of disabling it across every machine through group policy.

Before starting any of these steps, ensure that you force a name change on the administrator account through group policy. If it’s specified as Non Defined, then the administrator account can be renamed to something else and this scheduled task method will not work. In our example, we renamed the local administrator to “notused”

First, log into your domain controller and go to the group policy management editor. Edit whatever group policy governs your workstations and servers or both. Right click edit and navigate to:

Computer Configuration, Preferences, Control Panel Settings, Scheduled Tasks

Right click on the scheduled task window and select new scheduled task.

You should get something that looks something like this:

Ensure that “run as” is not checked in order to run as the local SYSTEM account. Fill out the information shown here:

Click on the schedule tab. On the schedule tab, keep the defaults and click advanced. Place the amount of minutes you want it to be active. 10 minutes seemed fine to us.

After that, click OK and OK. Go onto a machine and run a gpupdate /force. The local administrator account should now be disabled and work on server 2003, Windows 7, Vista, server 2008, etc.

David Kennedy

Author: David Kennedy

Security expert, keynote speaker, avid gamer and the go-to for protecting companies from threats.