Securing the local Administrator account

The Administrator account is the default account created during the install of Windows. It doesn't have different rights compared to other accounts that are part of the Administrators-group. The only difference is that the name of the account is known by many people.

Different options are available for protecting the Administrator account (which can be combined):

Use a firewall to block all access to the machine from network.
Deny network logon with accounts included in the Administrator-group using group policies:
1. Start the Local Security Policies snapin
2. In the tree-view go to "Local Policies" -> "User Rights Assignment"
3. Go to the entry "Deny access to this computer from the network" and double click it to add the Administrators-group.
More info MS KB281140
Change the name of the Administrator account:
1. Open the Control Panel and double click Users and Passwords
2. On the Users-tab tick Users must enter a username and password to use this computer
3. In the list Users for this computer: select the Administrator account
4. Click Properties-button and in the new window change the User name to something you can remember yourself
Related Advanced User Management in Windows XP Home
Setup a password for the Administrator account:

Windows XP will by default block network access to accounts with no password, and configures the Administrator account to have no password. Don't set a password for the Administrator account, unless wanting to enable access to the account from the network.
1. Open the Control Panel and double click Users and Passwords
2. On the Users-tab tick Users must enter a username and password to use this computer
3. In the list Users for this computer: select the Administrator account
4. Click Set Password...-button and in the new window type in the new password.
Use PassProp to protect the built-in administrator account from being attacked by dictionary password crackers. The built-in administrator account can never be disabled by default, so if having guessed the built-in administrator account name, then it can be attacked without the account becoming disabled. The PassProp utility can change the administrator account so it will react to password lockout policies. More Info The Administrator Accounts Security Planning Guide

Note one can also rename the Administrator account using the "Local Users and Groups" MMC-Snapin:

Press Start-button and select Run... this command:
lusrmgr.msc
Select the folder Users and right click the Administrator account and select Rename
Change the name to something you can remember

Note one can also rename the Administrator account using the group policy editor:

Start the Local Security Policies snapin
In the tree-view go to Local Policies -> Security Options
In the list find the item Rename Administrator Account and double click it to change it to something you can remember yourself

More info MS KB298252
More info MS KB320053

chris says:

8 October 2003 at 3:13

I think you can rename administrator account by using the properties @ Control-Panel -> Users (click on user and ..properties)

snakefoot says:

8 October 2003 at 14:44

chris
I think you can rename administrator account by using the properties @ Control-Panel -> Users (click on user and ..properties)

Yes you are correct, I have now updated the tip with some different ways to access the user configuration.

Recent Posts

Meta