Skeleton Keys and Local Admin Passwords: A Cautionary Tale

October 26, 2023 Andrey Pozhogin

Image of a pile of metal, antique-looking skeleton keys.

Picture yourself immersed in your favorite mystery novel, eagerly flipping through the pages as the suspense thickens. You’re enthralled, engrossed in the story of a hotel burglar with an uncanny ability to sneak into guest rooms without leaving telltale signs of break-ins or lock-picking.

As you read on, you’re captivated – and stumped – by how this elusive bad actor can deftly close the doors behind them, leaving no clues. The enigma builds and ultimately is paid off with a thrilling finale when the secret is revealed: a singular, powerful tool called a “skeleton key.”

Unlike regular keys unique to a specific lock, a skeleton key has a shape that enables it to work in multiple locks by manipulating their internal mechanisms. It’s like a universal access pass, granting effortless entry without requiring individual keys for each lock. This makes it a versatile tool, ideal for someone looking to navigate and access various spaces easily. Skeleton keys are still widely used – you more likely know them as “master keys” or “arrow keys.”

Just like in our favorite detective novels, bad actors use master keys to access things like mailboxes, luggage, apartments, hotel rooms and even to pull off bank heists.

Skeleton keys embody a trade-off between security and convenience that today’s security teams are intimately familiar with.

  • Pros: On one hand, they offer unparalleled convenience, enabling swift access to many locks with a single tool. This efficiency appeals to those who routinely need to navigate spaces without carrying a massive key ring.
  • Cons: However, this convenience comes at the cost of security. The universal nature of the skeleton key means that if it falls into the wrong hands, it poses a significant security risk, potentially granting unauthorized access to areas and compromising the safety measures that locks are meant to provide.

And, of course, there’s a digital version of these keys used for cybercrime.

Skeleton Keys in the Digital Era: From Bad to Worse

In the digital era, the scale and ease with which a skeleton key equivalent can compromise security have reached unprecedented heights.

Picture vast organizations with tens of thousands of endpoints: workstations and servers, both physical and virtual, scattered across offices, on-premises data centers and cloud environments. It’s not uncommon to encounter a troubling practice where system administration is built around the routine use of local admin accounts, often with the same password – mirroring the concept of a universal skeleton key. Although advantageous for management, this simplistic approach results in a colossal vulnerability – a true Achilles’ heel (!) – akin to granting unrestricted access to an entire hotel’s secret passages and rooms through a single master key.

The implications are profound, and the stakes for IT security have never been higher.

In today’s complex enterprise landscape, the prevalent use of what can be termed as “modern digital skeleton keys” – local administrator accounts – poses a significant risk to organizational cybersecurity. Virtually every endpoint within a system is equipped with at least one of these local admin accounts, presenting a potential gateway for unauthorized access.

Compounding this risk, these local accounts cannot be protected with strong authentication, leaving them vulnerable to relatively easy exploitation. Adding to the concern, security teams can’t employ multi-factor authentication (MFA) to help protect these accounts. That’s because strong authentication and MFA require a source of truth and controls to prevent attackers from cracking or bypassing them.

Local authentication, however, is by definition its own authority and is usually constrained by legacy requirements. For instance, Windows is still using NTLM for local authentication. Also, the lack of an out-of-the-box method for centralized management leaves organizations grappling with scattered and unmonitored access points. Together, these gaps further underscore the urgent need for a comprehensive and secure approach to endpoint privilege management (EPM) and endpoint privilege security (EPS).

Let’s pause here to note that this is the actual state that too many companies are in right now. For these organizations, everything you read next – even the basic mitigations outlined in the next paragraph – is, at best, a part of future cybersecurity strategy, which is a humbling realization about where we are as defenders.


Strategic Steps and Security Controls to Help Reduce Risk

The following are some mitigations your team can implement to help mitigate the risk of local privileged account misuse:

  1. Eliminate the practice of reusing passwords for local admin accounts. Don’t create the “skeleton key” for your entire endpoint infrastructure in the first place! Each local account on every endpoint MUST have a unique password.
  2. Closely monitor local admin account usage. Yes, we understand this can be tricky. Who is the “local administrator” anyway? The answer is in itself a whodunit: Is it someone from IT? Is it the end user? Is it someone who got the password and is already in a system on your network? The simple answer is that it’s whoever currently has the password, and that’s a big part of why every organization needs to have a solid identity security component in their cybersecurity strategy.
  3. Rotate the passwords to local admin accounts frequently, and especially rotate them after each use. This is very important because cyberattackers can use different techniques to compromise the password, on use (e.g., a keylogger or a camera).

These mitigations are somewhat straightforward, but I must caution you against using half-baked solutions. There are many ways to get this wrong. When selecting a solution, ensuring it gets the basics right regarding controls and capabilities is essential.

Here are some examples:

  • Management of all privileged accounts on the endpoint, not just the built-in local administrator account
  • Encrypted and secure storage of passwords
  • Assured custody of the next, current and previous passwords
  • Reliable communication with the service and transaction-based password rotation
  • Support for major operating systems, workload types and deployment types
  • Continuous discovery of local privileged accounts and their transition under the password rotation policy umbrella
  • Robust deployment and recovery workflows

Reusing local administrator account passwords is a double-edged sword within today’s enterprise framework. The inherent risk lies in their omnipresence across endpoints and the inability to deploy authentication measures like adaptive MFA. This exposes organizations to potential security breaches, highlighting the critical importance of proactive measures.

Implementing rigorous security protocols, including regular monitoring and auditing of these accounts, enforcing strong password policies and segregating privileges to limit excessive access, forms the cornerstone of effective mitigation. However, this needs to be done in a way that increases the security and reliability of the infrastructure.

Out with Skeleton Keys, in with Endpoint Privilege Security

It’s time to rewrite the narrative to match this evolving digital landscape and banish skeleton keys from news headlines. The constant portrayal of cybersecurity breaches and vulnerabilities stemming from unsecured local admin accounts is a predictable plotline.

Addressing the local admin account password challenge requires a powerful and reliable solution. Organizations can mitigate this persistent risk by applying endpoint security controls for loosely connected devices.

When considering a solution, critical capabilities should include automated local privileged account discovery and enforcement of password rotation based on policies. This approach delivers security reinforcement even when endpoints have limited internet connectivity.

Organizations can streamline operational efficiency by focusing on loosely connected devices and heightening security, fundamentally transforming how they manage and safeguard endpoints. In doing so, organizations can get the best of both worlds – a positive security outcome because every endpoint now has a unique password that has never been used before (read: not compromised, guaranteed) and convenience, because even though a skeleton key for your endpoints doesn’t exist, your administrators have a simple and secure way of authenticating to any endpoint.

Author’s note: After you’ve finished reading that mystery novel, check out how CyberArk Endpoint Privilege Manager and CyberArk Privilege Cloud can help drive security and convenience outcomes, with a new and innovative focus on loosely connected devices and automated local privileged account discovery. Outcomes, with a new and innovative focus on loosely connected devices and automated local privileged account discovery.

Andrey Pozhogin is a senior product marketing manager at CyberArk.

Previous Article
Why ITDR Matters for Your Enterprise’s Identity Security
Why ITDR Matters for Your Enterprise’s Identity Security

You may not recognize the term Identity Threat Detection and Response (ITDR), but this emerging security di...

Next Article
Piecing Together the Attack on Okta’s Support Unit
Piecing Together the Attack on Okta’s Support Unit

The October 2023 Okta breach is the latest example in a long line of third-party identity attacks. Based on...