Built-in Administrator Account Güvenliği (Misconfiguration)

Built-in Administrator Account Güvenlik Açığı: En Kritik Güvenlik Riski Windows sistemlerindeki Built-in Administrator Account (Yerleşik Yönetici Hesabı), organizasyonların karşılaştığı en kritik güvenlik risklerinden biridir. Bu hesabın devre dışı bırakılmaması, saldırganlar için altın değerinde bir hedef oluşturur. SID-500 ile tanımlanan bu hesap, hesap kilitleme politikalarından muaf olduğu için brute force saldırılarına karşı son derece savunmasızdır. Bu yazıda, bu kritik güvenlik açığını ve etkili çözüm yöntemlerini detaylı olarak inceleyeceğiz.

Built-in Administrator Account Nedir?

Built-in Administrator Account, Windows işletim sisteminin kurulumu sırasında otomatik olarak oluşturulan varsayılan yönetici hesabıdır. Bu hesap, sistemin en yüksek yetkilerine sahiptir ve özel güvenlik özelliklerine sahiptir.

Teknik Özellikler

Hesap Tanımlayıcıları:

• SID (Security Identifier): Her zaman S-1-5-21-domain-500 ile biter
• RID (Relative Identifier): 500 (değiştirilemez)
• Varsayılan Ad: "Administrator" (değiştirilebilir)
• Hesap Türü: Local Administrator / Domain Administrator

Özel Güvenlik Özellikleri:

# Built-in Administrator hesabının özel özellikleri $builtinAdmin = Get-LocalUser | Where-Object {$_.SID -like "*-500"} $specialProperties = @{ "Account Lockout Immunity" = $true # Hesap kilitleme muafiyeti "Password Never Expires" = $false # Parola süresi (yapılandırılabilir) "Cannot Be Deleted" = $true # Silinmez "Cannot Be Disabled Locally" = $false # Local olarak devre dışı bırakılabilir "UAC Bypass Capability" = $true # UAC bypass yetenegi (admin approval mode) "Network Logon Rights" = $true # Ağ üzerinden giriş } 

Domain vs Local Built-in Administrator

Domain Environment:

• Domain Admin Privileges: Varsayılan olarak Domain Admins grubunda
• Forest-wide Access: Enterprise Admin yetkilerine sahip olabilir
• Cross-Domain Impact: Tüm domain'de etkili
• Replication Target: Domain controller'larda çoğaltılır

Local Environment:

• Local Admin Rights: Sadece yerel makinede etkili
• Workgroup Member: Domain'e dahil olmayan sistemlerde
• Standalone Server: Bağımsız sunucularda

Güvenlik Riskleri ve Saldırı Vektörleri

1. Brute Force Attack Immunity

Account Lockout Bypass:

Built-in Administrator hesabının en büyük zafiyeti, hesap kilitleme politikalarından muaf olmasıdır:

# Normal kullanıcı hesabı $normalUser = "john.doe" # 5 yanlış parola denemesi → Hesap kilitlenir # Built-in Administrator hesabı $builtinAdmin = "Administrator" # Sınırsız yanlış parola denemesi → Hesap KİTLENMEZ! 

Brute Force Attack Timeline:

Hour 1-24: 1,000,000 parola denemesi Hour 25-48: Saldırı devam ediyor Hour 49-72: Hala devam ediyor ... Saldırı başarılı olana kadar sürüyor! 

2. Well-Known Target

Predictable Existence:

• Her Windows sisteminde Built-in Administrator vardır
• SID-500 her zaman mevcuttur
• Tahmin edilebilir isimler: Administrator, Admin, Adminisztrator (yerelleştirme)

Common Attack Vectors:

# Nmap ile SID enumeration nmap --script smb-enum-users -p 445 # Enum4linux ile user enumeration enum4linux -a # rpcclient ile SID brute force rpcclient -U "" -N > lookupsids S-1-5-21-domain-500 

3. Lateral Movement Facilitation

Pass-the-Hash Attacks:

# Built-in Administrator hash'i çalındığında $adminHash = "aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0" # Tüm domain'de kullanılabilir: psexec.exe -hashes $adminHash \\target1 cmd psexec.exe -hashes $adminHash \\target2 cmd psexec.exe -hashes $adminHash \\target3 cmd # ... tüm domain'deki makineler 

Golden Ticket Creation:

Built-in Administrator hesabı ele geçirildiğinde:

• krbtgt hash elde edilebilir
• Golden Ticket oluşturulabilir
• Kalıcı domain admin erişimi sağlanabilir

4. Persistence and Stealth

Legitimate Account Abuse:

• Built-in hesap olduğu için şüphe çekmez
• Log analysis sırasında normal görünebilir
• SOC teams tarafından gözden kaçabilir

Advanced Persistence Techniques:

# Built-in Administrator ile backdoor oluşturma # 1. Scheduled Task oluşturma schtasks /create /tn "WindowsUpdate" /tr "powershell.exe -enc " /sc daily /ru Administrator # 2. Service installation sc create "WindowsDefenderService" binpath= "cmd.exe /c powershell.exe -enc " obj= ".\Administrator" # 3. WMI Event subscription $payload = "powershell.exe -enc " Register-WmiEvent -Query "SELECT * FROM Win32_Process WHERE Name='explorer.exe'" -Action {Invoke-Expression $payload} 

Çözüm Yöntemleri

1. Built-in Administrator Account Devre Dışı Bırakma

Local System (PowerShell):

# Built-in Administrator hesabını devre dışı bırak Disable-LocalUser -Name "Administrator" # Alternatif yöntem - Net command net user Administrator /active:no # Doğrulama Get-LocalUser -Name "Administrator" | Select-Object Name, Enabled # Output: Enabled = False olmalı 

Domain Environment (PowerShell):

# Domain Administrator hesabını devre dışı bırak Import-Module ActiveDirectory # Built-in Domain Admin hesabını bul $domainSID = (Get-ADDomain).DomainSID.Value $builtinAdminSID = "$domainSID-500" $builtinAdmin = Get-ADUser -Filter {SID -eq $builtinAdminSID} # Hesabı devre dışı bırak Disable-ADAccount -Identity $builtinAdmin.SamAccountName # Doğrulama Get-ADUser -Identity $builtinAdmin.SamAccountName | Select-Object Name, Enabled 

2. Group Policy (GPO) ile Toplu Yönetim

Computer Configuration GPO:

Yol: Computer Configuration → Windows Settings → Security Settings → Local Policies → Security Options

Policy Settings:

Accounts: Administrator account status = Disabled Accounts: Rename administrator account = 

PowerShell ile GPO Uygulama:

# GPO oluşturma ve yapılandırma Import-Module GroupPolicy # Yeni GPO oluştur $gpoName = "Disable Built-in Administrator" New-GPO -Name $gpoName -Comment "Disables built-in Administrator account across domain" # Security Options ayarları Set-GPRegistryValue -Name $gpoName -Key "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" -ValueName "EnableAdminAccount" -Value 0 -Type DWord # OU'ya link et New-GPLink -Name $gpoName -Target "OU=Computers,DC=company,DC=com" Write-Output "GPO '$gpoName' created and linked successfully" 

3. Advanced Configuration Management

PowerShell DSC (Desired State Configuration):

Configuration DisableBuiltinAdmin { param( ]$ComputerName = 'localhost' ) Node $ComputerName { User DisableAdministrator { UserName = 'Administrator' Ensure = 'Present' Disabled = $true Description = 'Built-in Administrator - Disabled for security' } # Alternative user creation User SecureAdmin { UserName = 'SecureAdmin' Ensure = 'Present' Password = $SecurePassword PasswordChangeRequired = $false PasswordNeverExpires = $false Description = 'Secure replacement for built-in Administrator' } Group AddSecureAdminToAdministrators { GroupName = 'Administrators' Ensure = 'Present' MembersToInclude = 'SecureAdmin' DependsOn = 'SecureAdmin' } } } # Apply configuration DisableBuiltinAdmin -ComputerName $env:COMPUTERNAME Start-DscConfiguration -Path .\DisableBuiltinAdmin -Wait -Verbose 

Güvenli Alternatif Yönetici Hesapları

1. Dedicated Administrative Accounts

Naming Conventions:

# Güvenli admin hesap oluşturma stratejisi $adminAccounts = @( @{Name="adm_john.doe"; Description="John Doe - Administrative Account"}, @{Name="svc_backup"; Description="Backup Service Account"}, @{Name="adm_emergency"; Description="Emergency Access Account"} ) foreach ($account in $adminAccounts) { # Güçlü parola oluştur $password = ::GeneratePassword(16, 4) $securePassword = ConvertTo-SecureString $password -AsPlainText -Force # Hesap oluştur New-LocalUser -Name $account.Name -Password $securePassword -Description $account.Description # Administrators grubuna ekle Add-LocalGroupMember -Group "Administrators" -Member $account.Name # Güvenlik ayarları Set-LocalUser -Name $account.Name -PasswordNeverExpires $false -UserMayChangePassword $true Write-Output "Created secure admin account: $($account.Name)" } 

2. Privileged Access Management (PAM)

Just-In-Time Administration:

function New-TemporaryAdminAccess { param( $RequestedBy, $BusinessJustification, $DurationHours = 4, $TargetSystem ) # Approval workflow (simplified) $approvalRequired = $true if ($approvalRequired) { $approval = Get-ManagerApproval -Requestor $RequestedBy -Justification $BusinessJustification if (-not $approval.Approved) { throw "Access request denied by manager" } } # Temporary account creation $tempAccountName = "tmp_$($RequestedBy)_$(Get-Date -Format 'yyyyMMddHHmm')" $tempPassword = ::GeneratePassword(20, 5) $securePassword = ConvertTo-SecureString $tempPassword -AsPlainText -Force # Create temporary admin account Invoke-Command -ComputerName $TargetSystem -ScriptBlock { param($AccountName, $SecurePassword, $Description) New-LocalUser -Name $AccountName -Password $SecurePassword -Description $Description Add-LocalGroupMember -Group "Administrators" -Member $AccountName } -ArgumentList $tempAccountName, $securePassword, "Temporary admin access for $RequestedBy" # Schedule automatic removal $removalTime = (Get-Date).AddHours($DurationHours) $removalScript = { param($AccountName, $TargetSystem) Invoke-Command -ComputerName $TargetSystem -ScriptBlock { param($Account) Remove-LocalUser -Name $Account -Confirm:$false } -ArgumentList $AccountName } Register-ScheduledTask -TaskName "RemoveTempAdmin_$tempAccountName" -Action (New-ScheduledTaskAction -Execute "PowerShell.exe" -Argument "-Command $removalScript") -Trigger (New-ScheduledTaskTrigger -Once -At $removalTime) # Audit logging Write-EventLog -LogName Application -Source "PAM System" -EventId 1001 -Message "Temporary admin access granted to $RequestedBy for $TargetSystem. Account: $tempAccountName, Duration: $DurationHours hours" return @{ AccountName = $tempAccountName Password = $tempPassword ExpirationTime = $removalTime TargetSystem = $TargetSystem } } 

Monitoring ve Detection

1. Built-in Administrator Usage Detection

PowerShell Monitoring Script:

function Monitor-BuiltinAdminUsage { param( $LookbackHours = 24 ) $startTime = (Get-Date).AddHours(-$LookbackHours) # Event log analysis for Administrator logons $adminLogons = Get-WinEvent -FilterHashtable @{ LogName = 'Security' ID = 4624, 4625 # Successful and failed logons StartTime = $startTime } | Where-Object { $_.Properties.Value -eq "Administrator" -or $_.Properties.Value -like "*-500" } $suspiciousActivity = foreach ($event in $adminLogons) { $logonType = $event.Properties.Value $sourceIP = $event.Properties.Value @{ TimeCreated = $event.TimeCreated EventId = $event.Id LogonType = switch ($logonType) { 2 { "Interactive" } 3 { "Network" } 4 { "Batch" } 5 { "Service" } 7 { "Unlock" } 8 { "NetworkCleartext" } 9 { "NewCredentials" } 10 { "RemoteInteractive" } 11 { "CachedInteractive" } default { "Unknown ($logonType)" } } SourceIP = if ($sourceIP -ne "-") { $sourceIP } else { "Local" } WorkstationName = $event.Properties.Value ProcessName = $event.Properties.Value Severity = if ($event.Id -eq 4625) { "Failed Login" } else { "Successful Login" } } } # Alert on any built-in Administrator usage if ($suspiciousActivity.Count -gt 0) { $alertMessage = @" SECURITY ALERT: Built-in Administrator account usage detected! Time Range: Last $LookbackHours hours Total Events: $($suspiciousActivity.Count) Details: $($suspiciousActivity | Format-Table -AutoSize | Out-String) Action Required: Investigate immediately and disable built-in Administrator if not already done. "@ Write-Warning $alertMessage # Send email alert (if configured) if ($global:SecurityAlertEmail) { Send-MailMessage -To $global:SecurityAlertEmail -Subject "CRITICAL: Built-in Administrator Usage Detected" -Body $alertMessage -SmtpServer $global:SMTPServer } } return $suspiciousActivity } # Scheduled monitoring (run every hour) Register-ScheduledTask -TaskName "Monitor-BuiltinAdmin" -Action (New-ScheduledTaskAction -Execute "PowerShell.exe" -Argument "-Command Monitor-BuiltinAdminUsage") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date) -RepetitionInterval (New-TimeSpan -Hours 1)) 

2. SIEM Integration

Splunk Detection Rules:

# Built-in Administrator logon detection index=windows EventCode=4624 OR EventCode=4625 | eval account_name=mvindex(Account_Name,1) | where match(account_name, "(?i)administrator") OR like(account_name, "*-500") | stats count by account_name, src_ip, Logon_Type, _time | sort -_time 

ELK Stack Detection:

{ "query": { "bool": { "must": }}, {"bool": { "should": }} ] } }, "aggs": { "by_source": { "terms": {"field": "winlog.event_data.IpAddress"} } } } 

3. Automated Response

Incident Response Automation:

function Invoke-BuiltinAdminIncidentResponse { param( $SourceIP, $ComputerName, $LogonType ) # Immediate response actions $responseActions = @() # 1. Disable built-in Administrator if still enabled try { $adminStatus = Get-LocalUser -Name "Administrator" | Select-Object -ExpandProperty Enabled if ($adminStatus) { Disable-LocalUser -Name "Administrator" $responseActions += "Disabled built-in Administrator account" } } catch { $responseActions += "Could not disable Administrator account: $($_.Exception.Message)" } # 2. Block source IP if external if ($SourceIP -and $SourceIP -ne "127.0.0.1" -and $SourceIP -ne "-") { New-NetFirewallRule -DisplayName "Block Suspicious IP - $SourceIP" -Direction Inbound -RemoteAddress $SourceIP -Action Block $responseActions += "Blocked source IP: $SourceIP" } # 3. Force password reset for all admin accounts $adminUsers = Get-LocalGroupMember -Group "Administrators" | Where-Object {$_.ObjectClass -eq "User"} foreach ($admin in $adminUsers) { try { Set-LocalUser -Name $admin.Name -PasswordNeverExpires $false $responseActions += "Reset password policy for: $($admin.Name)" } catch { $responseActions += "Could not update password policy for: $($admin.Name)" } } # 4. Generate incident report $incidentReport = @{ Timestamp = Get-Date SourceIP = $SourceIP ComputerName = $ComputerName LogonType = $LogonType ResponseActions = $responseActions Severity = "CRITICAL" Status = "AUTO_RESPONDED" } # 5. Log incident $incidentReport | ConvertTo-Json | Out-File "BuiltinAdminIncident_$(Get-Date -Format 'yyyyMMddHHmmss').json" return $incidentReport } 

Compliance ve Best Practices

1. Security Framework Alignment

CIS Controls:

• CIS Control 4.3: Ensure the Use of Dedicated Administrative Accounts
• CIS Control 4.8: Log and Monitor All Administrative Activities

NIST Framework:

• PR.AC-1: Identities and credentials are issued, managed, verified, revoked, and audited
• PR.AC-4: Access permissions and authorizations are managed

2. Audit ve Compliance Checking

PowerShell Compliance Script:

function Test-BuiltinAdminCompliance { param( ]$ComputerNames = @($env:COMPUTERNAME) ) $complianceResults = foreach ($computer in $ComputerNames) { try { $result = Invoke-Command -ComputerName $computer -ScriptBlock { # Check local built-in Administrator $localAdmin = Get-LocalUser | Where-Object {$_.SID -like "*-500"} # Check if built-in admin is disabled $isCompliant = -not $localAdmin.Enabled # Additional checks $hasAlternativeAdmins = (Get-LocalGroupMember -Group "Administrators" | Where-Object {$_.Name -ne $localAdmin.Name}).Count -gt 0 return @{ ComputerName = $env:COMPUTERNAME BuiltinAdminName = $localAdmin.Name BuiltinAdminEnabled = $localAdmin.Enabled BuiltinAdminSID = $localAdmin.SID HasAlternativeAdmins = $hasAlternativeAdmins IsCompliant = $isCompliant -and $hasAlternativeAdmins LastChecked = Get-Date } } $result } catch { @{ ComputerName = $computer BuiltinAdminName = "ERROR" BuiltinAdminEnabled = "UNKNOWN" BuiltinAdminSID = "ERROR" HasAlternativeAdmins = $false IsCompliant = $false LastChecked = Get-Date Error = $_.Exception.Message } } } # Generate compliance report $summary = @{ TotalSystems = $complianceResults.Count CompliantSystems = ($complianceResults | Where-Object IsCompliant).Count NonCompliantSystems = ($complianceResults | Where-Object {-not $_.IsCompliant}).Count CompliancePercentage = ::Round((($complianceResults | Where-Object IsCompliant).Count / $complianceResults.Count) * 100, 2) } return @{ DetailedResults = $complianceResults Summary = $summary } } # Run compliance check and generate report $complianceData = Test-BuiltinAdminCompliance $complianceData.DetailedResults | Export-Csv -Path "BuiltinAdminCompliance_$(Get-Date -Format 'yyyyMMdd').csv" $complianceData.Summary | ConvertTo-Json | Out-File "ComplianceSummary_$(Get-Date -Format 'yyyyMMdd').json" 

Migration Strategy

1. Phased Disable Approach

Phase 1: Assessment (Week 1-2)

# Discovery phase script function Start-BuiltinAdminAssessment { $allComputers = Get-ADComputer -Filter * | Select-Object -ExpandProperty Name $assessmentResults = foreach ($computer in $allComputers) { try { $adminInfo = Invoke-Command -ComputerName $computer -ScriptBlock { $admin = Get-LocalUser | Where-Object {$_.SID -like "*-500"} $adminGroups = Get-LocalGroupMember -Group "Administrators" return @{ Computer = $env:COMPUTERNAME AdminName = $admin.Name AdminEnabled = $admin.Enabled AdminLastLogon = $admin.LastLogon AlternativeAdmins = ($adminGroups | Where-Object {$_.Name -ne $admin.Name}).Count ServicesRunningAsAdmin = (Get-WmiObject Win32_Service | Where-Object {$_.StartName -like "*$($admin.Name)"}).Count } } $adminInfo } catch { Write-Warning "Could not assess $computer : $($_.Exception.Message)" } } return $assessmentResults } 

Phase 2: Preparation (Week 3-4)

# Create alternative admin accounts function New-AlternativeAdminAccounts { param(]$TargetComputers) foreach ($computer in $TargetComputers) { Invoke-Command -ComputerName $computer -ScriptBlock { # Create emergency admin account $emergencyPassword = ::GeneratePassword(20, 5) $securePassword = ConvertTo-SecureString $emergencyPassword -AsPlainText -Force New-LocalUser -Name "EmergencyAdmin" -Password $securePassword -Description "Emergency administrative access" Add-LocalGroupMember -Group "Administrators" -Member "EmergencyAdmin" # Store password securely (implement your secure storage solution) Write-Output "Emergency admin created for $env:COMPUTERNAME with password: $emergencyPassword" } } } 

Phase 3: Implementation (Week 5-6)

# Disable built-in administrator with safety checks function Disable-BuiltinAdminSafely { param(]$TargetComputers) foreach ($computer in $TargetComputers) { try { $safetyCheck = Invoke-Command -ComputerName $computer -ScriptBlock { # Verify alternative admin exists $alternativeAdmins = Get-LocalGroupMember -Group "Administrators" | Where-Object {$_.ObjectClass -eq "User" -and $_.Name -notlike "*Administrator"} if ($alternativeAdmins.Count -eq 0) { throw "No alternative admin accounts found!" } # Disable built-in admin Disable-LocalUser -Name "Administrator" # Verify disable successful $adminStatus = Get-LocalUser -Name "Administrator" | Select-Object -ExpandProperty Enabled return @{ Success = -not $adminStatus AlternativeAdmins = $alternativeAdmins.Count DisabledTime = Get-Date } } Write-Output "Successfully disabled built-in Administrator on $computer" } catch { Write-Error "Failed to disable Administrator on $computer : $($_.Exception.Message)" } } } 

Sonuç ve Öneriler

Built-in Administrator Account'un devre dışı bırakılması, Windows güvenliğinin en kritik gereksinimlerinden biridir. Bu hesabın hesap kilitleme muafiyeti, saldırganlar için sınırsız brute force saldırı imkanı yaratır ve organizasyonların güvenliğini ciddi şekilde tehdit eder.

Kritik Uygulama Adımları:

1. ✅ Mevcut built-in Administrator durumunu analiz edin
2. ✅ Alternatif güvenli admin hesapları oluşturun
3. ✅ Phased approach ile güvenli geçiş yapın
4. ✅ Built-in Administrator'ı devre dışı bırakın
5. ✅ Continuous monitoring sistemi kurun
6. ✅ Incident response planı hazırlayın

Hızlı Kontrol Listesi:

• ✅ Built-in Administrator account disabled mı?
• ✅ Alternatif admin hesapları oluşturuldu mu?
• ✅ Emergency access prosedürleri tanımlandı mı?
• ✅ Monitoring ve alerting sistemi aktif mi?
• ✅ PAM (Privileged Access Management) değerlendirildi mi?
• ✅ Staff eğitimi tamamlandı mı?

Kritik Güvenlik Uyarıları:

• Asla built-in Administrator'ı etkin bırakmayın
• Mutlaka alternatif admin hesapları oluşturun
• Emergency access planınızı test edin
• Usage monitoring'i sürekli yapın
• Incident response süreçlerinizi güncel tutun

Gelişmiş Güvenlik Önerileri:

• Just-In-Time Administration modelini benimseyin
• Privileged Access Management (PAM) çözümü değerlendirin
• Multi-factor authentication zorunluluğu getirin
• Regular security assessments gerçekleştirin
• Zero Trust architecture ilkelerini uygulayın

Bu yapılandırmayı uygulayarak, Built-in Administrator Account kaynaklı kritik güvenlik riskini tamamen ortadan kaldırır ve modern güvenlik standartlarına uygun bir privileged access management altyapısı oluşturabilirsiniz. Bu değişiklik, organizasyonunuzun siber güvenlik seviyesini önemli ölçüde artıracaktır.