New We plan on releasing bi-monthly edits and updates to the OS-CFDB project! Please check out the search function!
Default Administrator Enabled (RID 500)
|Internal Penetration Testing
|External Penetration Testing
The technical overview of a finding, not meant to be all-inclusive.
The default administrator account is often used during initial setup of a host and joining an AD (Active Directory) Domain environment. This type of account is often referred to as BUILTIN\Administrator, also known as NT AUTHORITY\Administrator with the relative identifier (RID) 500. This account exists by default on all Microsoft Windows (Windows NT-based) systems as well as Active Directory domains. The assessment team discovered that hosts contained an enabled Administrator Account.
How a finding result will affect an organization.
If an attacker can gain elevated system privileges on a compromised host, the attacker could gather clear-text and the NTLM hash of this account. These credentials could be used to further access or lateral spread mechanisms such as Pass-The-Hash attacks where other machines use this same password.
Current plan of action recomended.
The assessment team recommends disabling the built-in Administrator if business requirements allow for it. This account should only be used during initial setup and disaster recovery if possible. If disabling the account is not an option, its recommend to use a solution such as LAPS (Local Administrator Password Solution) or enroll in third-party solutions to randomize and manage bulk password management.