https://live.paloaltonetworks.com/t5/general-topics/are-you-permitted-to-remove-all-local-admin-accounts-pan-os-9-1/m-p/464896#M102543 <P>you're preaching to the choir, as long as your physical security is in place, and you've safeguarded local admin credentials, a local admin is part of good BCP/DRP design. I had to shake my head a little on that one. do you have access to any documentation that I can reference?&nbsp;</P> Thu, 10 Feb 2022 15:02:49 GMT S_Hiebert 2022-02-10T15:02:49Z https://live.paloaltonetworks.com/t5/general-topics/are-you-permitted-to-remove-all-local-admin-accounts-pan-os-9-1/m-p/464616#M102514 <P>hello all,</P><P>I'm a PA noob who has recently just transitioned to a team that has a pretty heavy backlog. sorting through it, I see another team has requested that we remove local admin accounts from our firewalls. to my knowledge, the only local accounts on any of the FWs is the default account, with all admins authenticating using AD.&nbsp;</P><P>I understand the possible security risks of having a local admin, but not having any backup to networked AAA services sounds really dumb to me. some vendors won't even permit you to run without local credentials.&nbsp;<BR />does PanOS even permit you to run without a local admin, default or otherwise?&nbsp;</P><P>is there any difference between a VM and dedicated appliance? we run both.&nbsp;</P><P>&nbsp;</P><P>any answers or documentation you could provide would be much appreciated.&nbsp;</P> Wed, 09 Feb 2022 20:09:52 GMT https://live.paloaltonetworks.com/t5/general-topics/are-you-permitted-to-remove-all-local-admin-accounts-pan-os-9-1/m-p/464616#M102514 S_Hiebert 2022-02-09T20:09:52Z https://live.paloaltonetworks.com/t5/general-topics/are-you-permitted-to-remove-all-local-admin-accounts-pan-os-9-1/m-p/464715#M102526 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/207969">@S_Hiebert</a>,</P> <P>Why would you ever want to remove any local admin account from your firewalls? If your AAA servers are down you couldn't login, if you made a mistake and severed communication to the box you couldn't login, the upstream network is down you can't login. Sounds like an incompetent security department not thinking through the actual repercussions of what they're requesting.</P> <P>Regardless, you can't actually do this in PAN-OS. You need at least one superuser account active in the administrators group to prevent people from doing exactly what your other group is asking.&nbsp;</P> Thu, 10 Feb 2022 03:28:02 GMT https://live.paloaltonetworks.com/t5/general-topics/are-you-permitted-to-remove-all-local-admin-accounts-pan-os-9-1/m-p/464715#M102526 BPry 2022-02-10T03:28:02Z https://live.paloaltonetworks.com/t5/general-topics/are-you-permitted-to-remove-all-local-admin-accounts-pan-os-9-1/m-p/464896#M102543 <P>you're preaching to the choir, as long as your physical security is in place, and you've safeguarded local admin credentials, a local admin is part of good BCP/DRP design. I had to shake my head a little on that one. do you have access to any documentation that I can reference?&nbsp;</P> Thu, 10 Feb 2022 15:02:49 GMT https://live.paloaltonetworks.com/t5/general-topics/are-you-permitted-to-remove-all-local-admin-accounts-pan-os-9-1/m-p/464896#M102543 S_Hiebert 2022-02-10T15:02:49Z