23a7 Securing the local Administrator account | User Security | Smallvoid.com

Securing the local Administrator account

1 September 2001 by Snakefoot | Comment » | Trackback Off
The Administrator account is the default account created during the install of Windows. It doesn't have different rights compared to other accounts that are part of the Administrators-group. The only difference is that the name of the account is known by many people.

Different options are available for protecting the Administrator account (which can be combined):
  • Use a firewall to block all access to the machine from network.
  • Deny network logon with accounts included in the Administrator-group using group policies:
    1. Start the Local Security Policies snapin
    2. In the tree-view go to "Local Policies" -> "User Rights Assignment"
    3. Go to the entry "Deny access to this computer from the network" and double click it to add the Administrators-group.
    More info MS KB Q281140
  • Change the name of the Administrator account:
    1. Open the Control Panel and double click Users and Passwords
    2. On the Users-tab tick Users must enter a username and password to use this computer
    3. In the list Users for this computer: select the Administrator account
    4. Click Properties-button and in the new window change the User name to something you can remember yourself
    Related Advanced User Management in Windows XP Home
  • Setup a password for the Administrator account:

    Windows XP will by default block network access to accounts with no password, and configures the Administrator account to have no password. Don't set a password for the Administrator account, unless wanting to enable access to the account from the network.
    1. Open the Control Panel and double click Users and Passwords
    2. On the Users-tab tick Users must enter a username and password to use this computer
    3. In the list Users for this computer: select the Administrator account
    4. Click Set Password...-button and in the new window type in the new password.
  • Use PassProp to protect the built-in administrator account from being attacked by dictionary password crackers. The built-in administrator account can never be disabled by default, so if having guessed the built-in administrator account name, then it can be attacked without the account becoming disabled. The PassProp utility can change the administrator account so it will react to password lockout policies. More Info The Administrator Accounts Security Planning Guide
Note one can also rename the Administrator account using the "Local Users and Groups" MMC-Snapin:
  1. Press Start-button and select Run... this command:

    lusrmgr.msc

  2. Select the folder Users and right click the Administrator account and select Rename
  3. Change the name to something you can remember
Note one can also rename the Administrator account using the group policy editor:
  1. Start the Local Security Policies snapin
  2. In the tree-view go to Local Policies -> Security Options
  3. In the list find the item Rename Administrator Account and double click it to change it to something you can remember yourself
More info MS KB Q298252
More info MS KB Q320053
1b21
Tags:
Category:

Updated: 20 June 2008

Comments:

Comment by chris - 8 October 2003 @ 3:13 Reply

I think you can rename administrator account by using the properties @ Control-Panel -> Users (click on user and ..properties)

Comment by snakefoot - 8 October 2003 @ 14:44 Reply

chris
I think you can rename administrator account by using the properties @ Control-Panel -> Users (click on user and ..properties)

Yes you are correct, I have now updated the tip with some different ways to access the user configuration.

Leave a comment


NB! Use the Forum for computer help and off-topic questions.

You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <code> <em> <i> <strike> <strong>


0