Smallvoid.com
  • Home
  • About
  • Articles
  • Links
  • Forum

Securing the local Administrator account

September 1, 2001 by Snakefoot | 2 Comment

The Administrator account is the default account created during the install of Windows. It doesn't have different rights compared to other accounts that are part of the Administrators-group. The only difference is that the name of the account is known by many people.

Different options are available for protecting the Administrator account (which can be combined):
  • Use a firewall to block all access to the machine from network.
  • Deny network logon with accounts included in the Administrator-group using group policies:
    1. Start the Local Security Policies snapin
    2. In the tree-view go to "Local Policies" -> "User Rights Assignment"
    3. Go to the entry "Deny access to this computer from the network" and double click it to add the Administrators-group.
    More info MS KB281140
  • Change the name of the Administrator account:
    1. Open the Control Panel and double click Users and Passwords
    2. On the Users-tab tick Users must enter a username and password to use this computer
    3. In the list Users for this computer: select the Administrator account
    4. Click Properties-button and in the new window change the User name to something you can remember yourself
    Related Advanced User Management in Windows XP Home
  • Setup a password for the Administrator account:

    Windows XP will by default block network access to accounts with no password, and configures the Administrator account to have no password. Don't set a password for the Administrator account, unless wanting to enable access to the account from the network.
    1. Open the Control Panel and double click Users and Passwords
    2. On the Users-tab tick Users must enter a username and password to use this computer
    3. In the list Users for this computer: select the Administrator account
    4. Click Set Password...-button and in the new window type in the new password.
  • Use PassProp to protect the built-in administrator account from being attacked by dictionary password crackers. The built-in administrator account can never be disabled by default, so if having guessed the built-in administrator account name, then it can be attacked without the account becoming disabled. The PassProp utility can change the administrator account so it will react to password lockout policies. More Info The Administrator Accounts Security Planning Guide
Note one can also rename the Administrator account using the "Local Users and Groups" MMC-Snapin:
  1. Press Start-button and select Run... this command:

    lusrmgr.msc

  2. Select the folder Users and right click the Administrator account and select Rename
  3. Change the name to something you can remember
Note one can also rename the Administrator account using the group policy editor:
  1. Start the Local Security Policies snapin
  2. In the tree-view go to Local Policies -> Security Options
  3. In the list find the item Rename Administrator Account and double click it to change it to something you can remember yourself
More info MS KB298252
More info MS KB320053
Tags:
  • administrator, group-policy, password, remote-access, user-account, windows-login
Category:
  • User Security,
  • User Security,
  • User Security,
  • User Security

Comments:

  1. chris says:
    8 October 2003 at 3:13

    I think you can rename administrator account by using the properties @ Control-Panel -> Users (click on user and ..properties)

    Reply
  2. snakefoot says:
    8 October 2003 at 14:44

    chris
    I think you can rename administrator account by using the properties @ Control-Panel -> Users (click on user and ..properties)

    Yes you are correct, I have now updated the tip with some different ways to access the user configuration.

    Reply

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Related Posts

  • Configure Automatic Logon in Windows NT
  • Restrict guest access to event logs
  • Moving the userprofile to a different location
  • Using NULL sessions to view shares and user accounts
  • Restrict access for NULL sessions

Recent Posts

  • Disable IPv6 imaginary tunnel network interfaces
  • Encrypted backup to OneDrive or DropBox
  • Description of soft and hard page faults
  • Windows 10 Upgrade with black screen
  • Wordpress 4.2 Upgrade

Meta

  • Log in
  • Entries feed
  • Comments feed