The servers running Exchange Server in your environment should have unique, complex local administrator passwords. The passwords should also ideally be unknown by anyone in the organization.
The first practice is important. Using different local admin passwords to mitigate lateral movement by attackers who have been able to compromise one host in your environment. Having domain admin credentials is not all that important to an attacker if they know the one password that gains them access to every server anyway.
The resistance to unique local admin passwords is usually due to the technical debt of old build practices resulting in the same password used everywhere in an environment today. Fixing build processes to create unique passwords is one thing, but faced with the task of generating unique passwords and updating every host in the environment causes a lot of admins to put the task somewhere on their “to do” list, where all good ideas go to die.
Fortunately, Microsoft provides the Local Administrator Password Solution (LAPS) tool that can help you roll out the change to your environment. You can read about LAPS and see a demonstration of how to use it here.
The second practice is also important, but I receive a lot more push back on that one. The idea that local admin passwords are unknown is scary to some admins who are concerned that one day they’ll have one of those “break the glass” emergencies where they need a local account to fix it.
Again, LAPS can help you by making the passwords retrievable even though nobody happens to know it at any given time (well, sort of). But if you have a highly available Exchange deployment, meaning multiple servers are deployed, and you subscribe to the “cattle not pets” methodology of server management, the type of situations where local admin access would be required are really the type of situations where you would consider doing a clean OS build and recovery of Exchange instead.
I don’t understand why a domain-joined Windows machine, be it a server or pc, should have a local admin account. As it is domain-joined, the domain admin always has access and the local admin account is disabled at the same time. It would make sense if a domain-joined machine could be configured for ONLY local admin account access. As far as I can tell, that’s possible only by removing the machine from the domain. At that point, LAPS is out of the question. Furthermore, IMO, enabling the local admin account on a domain-joined machine only broadens the attack-surface.
I probably overlook something, so I wonder how this setup is done?
If the PC losses trust relationship with the domain, you’ll definitely need the local admin