How to secure local admin passwords, for instance on machines that are deployed using an image technology:

First of all, 2 mandatory steps:

-          Make sure all applicable security fixes are being deployed

-          Have an inventory, updated on a regular basis, of the local admin accounts.

First recommendation is to disable / delete the local admin account, as long as the concerned machine is domain-joined, and that offline sessions (meaning opening a session while not having AD connectivity) are allowed.

Why doing so? because if one machine gets compromised, and the local admin password is also hacked/compromised, while it's being shared among other machines, then further compromising the IT may be much easier, from the attacker side. This is a concept of zone (local, 1 machine) compromise, much better than global compromise.

If that first recommendation is not doable, the second advice is to rename the built-in local administrator account, to something that the entity can easily guess. This will make a lot more complex numerous attacks, including from malware, in which the local admin username is somewhat hardcoded into the tool/script/malware, and then changing the default local admin username to something else would block such an attack. Once again, this is not the most efficient solution.

Now, the third and most operational recommendation would be to have a unique local admin password, based on something that is unique to the machine itself. The idea is to take something linked to the machine, like Mac Address, HDD's serial number, CPU's serial number, disk volume's ID, etc, as a parameter. Then, build a password that will be unique for each machine. The best would be also to add a parameter linked to the date, so that those local admin passwords could be changed in time (this is regular best practice). CSS Security recommends the password length to be at least 16 characters.

Obviously, the algorithm should be known to helpdesk and support teams, so that when they face a machine to be troubleshot, they are able to rebuild the password using the same algorithm, and setting as an input the "unique" value they could manually retrieve.

Last but not least, if you plan on deploying such a script through GPO, it will most likely be stored in Netlogon (or GPO folder), then accessible to anybody, we recommend you to obfuscate the source code of the script.