Unnecessary Local Administrator Check
- Several of the workstations in my network are reporting back as "medium" because they are failing the "number of uncessary Local Administrators" check, with a value of "2".
In each case, the default Administrator account is disabled. We've created a default user account to be a local admin account on each workstation (so that we can script the password change every 3 months) and those two are the only accounts (other than the standard Domain Admins account).
The clients are all Vista x64 boxes, with the latest service patch. FCS has been patched up fully, and works fine.
Do I need to re-enable the local admin accounts and get rid of the default user account? I'm not sure why that's any tighter, security-wise, especially since the local administrator account can't be locked out.
Thoughts?
Answers
- Interesting thread.
It's not possible to change SSA scan options (it will be in next gen FCS). The options are in a manifest file that is digitally signed and if the signature breaks (e.g some one tries to edit the file) SSA does not run.
Just my 5 cents to the discussion
/Johan
MCSE, forefront spec | www.msforefront.com- Marked As Answer byNick Gu - MSFTMSFT, ModeratorThursday, November 19, 2009 8:33 AM
All Replies
Hi,
Thank you for your post.
I don’t think you need to delete the default user account. In general, it is recommended to keep the number of administrators to a minimum because administrators essentially have complete control over the computer.
As far as I know, The Administrators SSA check identifies and lists the user accounts that belong to the local Administrators group. If more than two individual administrator accounts are detected, Client Security lists in related reports the account names as a potential vulnerability. But the local administrator account and domain administrator accounts are excluded from this check.
Regards,
Nick Gu - MSFT- Well, in this case, there are three accounts in the local admin group:
1. The default local admin account (which is disabled)
2. A custom local admin account (enabled)
3. The default domain admins group
If what you're saying is true, items #1 and #3 should be excluded from the check, yielding up a grand total of one local admin account. So either:
a) the check isn't working the way you described
b) it is working the way you described, but it's not recognizing the local admin or domain admins group as what they really are...
Thoughts?
end of line,
Reed Wiedower Hi,
Thank you for your update.
I will share you an article that related to Administrators check. Hope this will give you more understand about SSA check.
http://technet.microsoft.com/en-us/library/bb418830.aspx
Regards,
Nick Gu - MSFT- Unmarked As Answer byDistrict1 Monday, July 20, 2009 12:59 PM
- Marked As Answer byNick Gu - MSFTMSFT, ModeratorMonday, July 20, 2009 4:03 AM
I think you meant to link to this article:
http://technet.microsoft.com/en-us/library/bb418801.aspx
Regardless, of the three accounts present, two are members of the excluded groups. Here's the relevant text:
"The Administrators SSA check identifies and lists the user accounts that belong to the local Administrators group. If more than two individual administrator accounts are detected, Client Security lists in related reports the account names as a potential vulnerability.User accounts that belong to the local Administrators or Domain Admins groups have authority to do almost anything on the systems and networks that they have permission to access. If such an account is taken over maliciously, catastrophic harm could be done to the system or network.
The local administrator account and domain administrator accounts are excluded from this check."
If the local admin account and domain admins group are excluded, then there's only one account left. So I should be getting a "Low" score, rather than a "Medium" score.
end of line,
Reed- To be clear: my problem is still not solved. I need to know why it's flagging the computers as "medium" rather than "low". Any ideas?
end of line,
Reed Wiedower Hi,
Please check to see if there is any other account belong to administrator account or domain administrator accounts on the client.
Regards,
Nick Gu - MSFT- There are only three accounts on the client with admin rights:
1) a local user (who is a member of the local administrators group)
2) the built-in local admin account (which is disabled, by default, and a member of the local administrators group)
3) the "domain admins" group
That's it. Just three.
end of line,
Reed - Has there been an update on this? I'm still waiting for some ability to resolve this. Thanks!
end of line,
Reed Wiedower - There's still no update. As we're deploying FCS to additional clients, this check has become increasingly onerous. Any ideas?
end of line,
Reed Wiedower - Reed-
We ran into the same issue with FCS deployment in our enterprise. Ideally, it would be more helpful to be able to adjust the threshold of users that triggers this warning, but there doesn't seem to be a way to that. We worked around it by creating a rule in the admin console that does not log the local admin group warnings events into the Onepoint database. Now the local admin group membership doesn't get factored in at all for the machine's security score.
- Josh - Interesting thread.
It's not possible to change SSA scan options (it will be in next gen FCS). The options are in a manifest file that is digitally signed and if the signature breaks (e.g some one tries to edit the file) SSA does not run.
Just my 5 cents to the discussion
/Johan
MCSE, forefront spec | www.msforefront.com- Marked As Answer byNick Gu - MSFTMSFT, ModeratorThursday, November 19, 2009 8:33 AM
- @ Johan Blom
Hi,
When will the next gen FCS be released to enable us to change the SSA scan options?
regards
