Tech Log Entry--Local User Account Security Audit (Windows 11)

 


Local User Account Security Audit (Windows 11)


(Disabling Unused Accounts & the PostgreSQL Service Account)


1. Problem Identified

During IT coursework, the PowerShell cmdlet Get-LocalUser was used to audit all local user accounts on a Windows 11 home desktop. The results revealed an unexpected enabled account: postgres, a service account created by a prior PostgreSQL database installation. PostgreSQL had been briefly installed for coursework purposes, then uninstalled — but the uninstaller process left the user account behind in an enabled state. No PostgreSQL service or processes were found to be running at the time of discovery.


2. Investigation & Learning

The following PowerShell commands were used to investigate the system's account and service state:

  • Get-LocalUser | Select-Object Name, Enabled, LastLogon, PasswordLastSet

  • Get-Service -Name postgresql*

  • Get-Service | Where-Object { $_.DisplayName -like "*postgres*" }

  • Get-Process | Where-Object { $_.Name -like "*postgres*" }

Key finding: The uninstaller had removed the PostgreSQL service and all running processes, but left the postgres local user account itself as present and enabled. An enabled account with no active service still represents an unnecessary attack surface — a potential target for brute-force attacks or lateral movement if another vulnerability is exploited.


3. Solution & Steps Taken

The account was disabled using an elevated (Administrator) PowerShell session:

  • Disable-LocalUser -Name "postgres"

Disabling (rather than deleting) was the correct approach: it preserves the account's SID and permissions for future use, and avoids conflicts if PostgreSQL is reinstalled. Re-enabling is trivial: Enable-LocalUser -Name "postgres".


4. Security Context & Broader Lessons

This exercise illustrates several core security principles:

  • Principle of Least Privilege: Accounts and services should only be active when actively needed. Every enabled account is a potential entry point.

  • Software Installers Leave Residue: Uninstallers frequently leave behind user accounts, registry entries, and scheduled tasks. Post-uninstall audits are good practice.

  • Audit Regularly: Periodic use of Get-LocalUser can catch accounts silently created by software updates, game clients, or remote management tools.

  • Disable, Don't Delete: For service accounts, disabling preserves the account for future reinstallation while eliminating the attack surface.

  • NIST Password Guidance: Strong, unique passwords (20+ characters, mixed character classes, non-dictionary) do not require scheduled rotation — change only when there is cause.


5. Future Tasks & Calendar Reminders

  • December 2026 — Re-enable postgres and resume PostgreSQL study: Run Enable-LocalUser -Name "postgres", reinstall PostgreSQL fresh, and pick up database coursework. Verify pg_hba.conf restricts connections to localhost only, and confirm a strong unique password is set for the postgres DB superuser.

  • Ongoing — Periodic account audit: Run Get-LocalUser | Select-Object Name, Enabled, LastLogon, PasswordLastSet every few months to catch new or unexpectedly re-enabled accounts.

  • Ongoing — Service startup audit: After any major software install or update, run Get-Service | Where-Object { $_.StartType -eq 'Automatic' } to ensure no unwanted services are set to auto-start.

Comments

Post a Comment

Popular posts from this blog

Tech Log-Browser Image Agent project

Tech Log Entry — Browser Image Agent:  An AI-Powered Image Tagger and Saver Category: AI / Computer Vision / Browser Automation / Local LLM / Python Initial Goal I wanted a tool to automatically save images from open browser tabs to a local folder, with descriptive, search-friendly filenames and tags generated by an AI vision model — replacing manual save-and-rename workflows. All processing to be fully local: no cloud APIs, no subscriptions, no data leaving the machine. The tool should use only free open-source software, run on my Windows 11 desktop, and leverage my RTX 3060 GPU for local AI inference. Two operating modes: fully automatic (save all qualifying images without interruption) and human-in-the-loop review (confirm each image before saving). Hardware Used Desktop: Windows 11 Home, NVIDIA GeForce RTX 3060 (12 GB VRAM) No additional hardware required — everything runs locally on the desktop Software Stack Python 3.12 Ollama 0.17.7 (local AI runtime) Vision mode...
Read more

Telling Rocks What To Think

Image
Telling Rocks What To Think First post on this new blog format.  I'm establishing this medium for recoding my professional (coding) experiences, impressions, problems, plans, and solutions. Erin Spiceland said "Coding is the art of telling rocks what to think."  It's metaphorical, but not by much.  Digital computing mostly relies on silicon working its logic and magic.  You talk to it in painfully specific code.  You need all the material, semantic, and verbal components just right.  If you get it right, then it talks back.  Get it wrong, and you have just found a "bug". I named my blog "Debug and Rebug" to indicate two key principles of my approach to coding.  First, "debug": When you write your code, it will never work perfectly, as you envision it.  Perfect running never happens; it's an inevitable consequence of entropy, human lateral thinking, and logic's inexorable conflict with our wants.  Those are some fancy words, all ri...
Read more

Humanity as gaslighting victims of LLMs?

Image
Humanity as gaslighting victims of LLMs?     Are we being gaslit (gaslighted?  gaslightified?  gaslitted?) by LLMs?  Are they subtly and not-so-subtly guiding our behavior? No, not really, to the first question.  And "Well, duh" is a spot-on answer, I think, to the second. Maybe you've heard of this?     -->>  " Adding a feature because ChatGPT incorrectly thinks it exists " https://www.holovaty.com/writing/chatgpt-fake-feature/ ChatGPT started a pattern of repeated (if somewhat logically-arrived at) hallucinations, telling thousands of people that an online music scanner app had a certain feature, which it, in fact, did not.  This went on long enough, that the app's programmer decided to go with the flow and add the feature.  Since people were expecting it, he felt he should provide it.  But the customers would not have expected it, had they not asked a hallucinating LLM. Certainly there are the apocryphal stor...
Read more