[Feature] Administrator + WLapsAdmin accounts both present and enabled, should built-in Admin be disabled? #161
Description
Hi folks, first of all merry christmas to all who celebrate and I hope you're all getting some time off work either way.
I'm rationalising all of the settings of our W11 build that do not align with the latest CIS L1 guidance. We are using a profile set which is very heavily based on the OIB with a few changes - merging some profiles in a way we deem rational for reference/administrative purposes, Bitlocker settings allow TPM / TPM + PIN startup so that we can publish a UI script which allows users to set their own PIN. Side note - James, if it might be of some use for us to share a spreadsheet with our changes to the settings that comply with the v4.0.0 CIS Benchmark for Intune please let me know and I will try to arrange that for you. For example, our Security director has asked for us to apply settings which enforce defaults as a sort of DiD approach, since there is no real negative consequence to doing so.
One question that I have been unable to answer looking at the OIB configs is why there are 2 local Admin accounts present and enabled. The 'Security by Obscurity' blog on this topic (https://skiptotheendpoint.co.uk/dot-slash-administrator-a-security-risk-analysis) states that, without using LAPS:
- There is no major benefit to creating a 2nd Administrator account as the SID/RID of this account can be identified with standard user permissions in Powershell anyway.
- There is no major benefit to renaming the built-in Administrator account for the same reason.
- The view that the built-in account has no lockout measures is not accurate post-22H2 and that the perceived threat of attacks exploiting this is overexaggerated.
My understanding of the OIB WLapsAdmin account management is as follows:
-
Win - OIB - ES - Windows LAPS - D - LAPS Configuration (24H2+) - v3.6 creates/manages a new account which defaults to name WLapsAdmin due to not being explicitly renamed.
-
Win - OIB - ES - Local Group Membership - D - Local Administrators - v3.7 refreshes the group membership of Administrators, replacing any named members with WLapsAdmin.
If I run Get-LocalGroupMember -Group "Administrators" I see Administrator and WLapsAdmin, and both accounts are enabled.
While this seems sensible, isn't there an issue here where we have both a fully LAPS managed account with automated actions to ensure it is the sole named member of the Administrators group, whilst also having a completely unmodified built-in account? I'm curious about why we aren't either A) using LAPS to manage/rename the built-in account or B) managing the secondary account WLapsAdmin and disabling the built-in account. Can anyone help me understand this?
Thanks to James and all who contribute, once again and take care all.