Disable or Rename Administrator Account

I recently saw that you can disable the administrator account in 2003 using group policy.  Historically I have always heard that it should be renamed and left active.  What is truly the best practice for handling the administrator account in Windows Server 2003?  
isttn24Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Brian PiercePhotographerCommented:
Ideally it should be both renamed and disabled. The problem with just renaming it is that it always uses a well known SID and any experienced hacker can track it down to its new name.
0
Member_2_49692Commented:
Here is microsoft's take on it

http://www.microsoft.com/technet/security/prodtech/windowsserver2003.mspx

http://www.microsoft.com/technet/security/guidance/serversecurity/administratoraccounts/default.mspx


basically yes you want to rename the account that keeps a lot of script kiddies out when I checked failed security attempts we were getting 100 attempts per day using "Administrator" "Admin" or other common user names to signify a user account

regardless if you name it, it can be found out by advanced attackers who can find out the admin account by cross referencing the SID which doesn't change.

Basically your best bet is rename the account use very strong passwords configure your firewalls properly and secure your desktops.

More specific information is in the above guides
0
Toni UranjekConsultant/TrainerCommented:
Hi!

Are we talking about domain or local administrator account? Local account can simply be disabled. Domain administrator account should be in my personal opinion:

1. Copied to create new user with the same privileges.
2. Original account should be renamed, disabled, and removed from any admins group.

Paranoid enough?
3. New user account with logon name "administrator" should be created, it should not be disabled, use extremly long, strong password, put this account in Guest group or in specialy created group which we use for preventing access to any resorce, for example "Deny all".

Observe Security logs to see, if any connections are being made for user "administrator".

HTH

Toni
0
Newly released Acronis True Image 2019

In announcing the release of the 15th Anniversary Edition of Acronis True Image 2019, the company revealed that its artificial intelligence-based anti-ransomware technology – stopped more than 200,000 ransomware attacks on 150,000 customers last year.

Member_2_49692Commented:
The downside to disabling it is others programs (3rd party apps among other things may require that account)
for example some people have reported "one authentication scheme from a device to a server that tech support told me demanded the administrator account in the default User folder to work. That's not great programming, but I doubt it is uncommon"

IMHO if they can break into your admin account then your passwords, firewall and other security items are not being implemented properly and /or are weak.

Script kiddies will be thwarted by the rename...
Experienced attackers are going to take the path of least resistance. Above all lets face it if they know what they are doing and really want in nothing is 100% secure no matter what you do
0
isttn24Author Commented:
I don't want to be overly paranoid, I just want to follow best practices for sox auditing and things like that.  My biggest fear is disabling or renaming this account and then being locked out of it when I need it for something like an authoratative restore.  Is that possible?  What would happen if all other domain admins accounts became locked out and the original administrator account was disabled?

Per http://www.microsoft.com/technet/security/prodtech/windowsserver2003.mspx it is best practice to rename and disable.  
0
Member_2_49692Commented:
"Every new installation of the Active Directory® directory service creates an Administrator account for each domain. By default this account cannot be deleted or locked out. In Microsoft® Windows Server" 2003, the Administrator account can be disabled, but it is automatically re-enabled when you start the computer in Safe Mode."

so that account would never trully be disabled

from here
http://www.microsoft.com/technet/security/guidance/serversecurity/administratoraccounts/aapgch03.mspx
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Member_2_49692Commented:
With dealing with SOX I would say definately rename and disable the account just make sure when you rename it you name it something non-obvious and also something with letters and numbers in it.. This way it cannot be guessed upon although the SID still indentifies it   example renaming it to Supervisor would be obvious.
0
Member_2_49692Commented:
isttn24,

really this should have been either awarded to KCTS or a split between the two of us seeing as how he intially gave you answer, my post was 1 minute from his but he did post first... after that I only gave follow up information.
Thank you though

KCTS,

If you want submit this for review
0
isttn24Author Commented:
02.07.2008 at 09:14AM CST, ID: 20841361 gave me the specific information I was looking for.  I knew these documents before opening the discussion, however, I had never seen the section pertaining to the admin account automatically re-enabling when starting in safe mode.  That's what I needed.
0
Member_2_49692Commented:
isttn24,

Ok I just mentioned it because I wanted to be fair to the other experts involved that's all

0
Brian PiercePhotographerCommented:
Thanks for your comments briancassin - I'm getting used to this sort of thing.
Looks like I keep making the mistake of actually answering the question rather that trying to use telepathy to work out what what the asker actually wanted to know :-)
0
isttn24Author Commented:
Your sarcastic comments are highly unreasonable.  Do you really believe that each initial question is/should be all encompassing?  To say yes is to say that you have never asked more than one question to arrive at a resolution.  My desire was to get people chatting about a broad topic to give myself the best chance of arriving at a more specific solution.  The question that ultimately needed to be answered was posited in ID 20841269.  You had the same chance to respond as briancassin did.  If you guys wish to only go off the first question and not the question that I ultimately needed answered, then you are correct, a split is in order.  KCTS provided part of the resolution first, then briancassin followed up with the best practices guide that included several steps that KCTS did not.  
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2003

From novice to tech pro — start learning today.