Link to home
Create AccountLog in
Avatar of sunhux
sunhux

asked on

Disabling Windows SYSTEM account

We disabled local administrator account (which we rarely use & we'll boot from CD to enable it back when needed).

Audit now asks: there are 30 very critical PCs : can we also disable the SYSTEM account (which I think
Desktop Central or possibly SCCM) uses?  

What's the impact/implications of disabling SYSTEM?

can it be disabled?   Is it an interactive logon  or   this account doesn't allow Interactive logon?

Any MS or authoritative links recommending not to disable/delete it?
Avatar of McKnife
McKnife
Flag of Germany image

LOL!

You want to disable the account that the OS itself uses? Not possible.
SOLUTION
Avatar of Hello There
Hello There

Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
SOLUTION
Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
SOLUTION
Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
SOLUTION
Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
Not "not advisable"... not possible. :-)
Avatar of btan
btan

Yup thanks McKnife.
Avatar of sunhux

ASKER

Can provide a couple of MS links so that I can show to auditor
ASKER CERTIFIED SOLUTION
Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
The auditor will know. Any admin has to know.
SOLUTION
Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
SOLUTION
Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
No auditor will need an explanation.    OR,  The auditor does not know their trade.
That is why auditor need to ask the right question in right context. My post is specific to another context - so what are they really looking out to audit - have they even saw it disabled before and machine is working fine.
Avatar of sunhux

ASKER

Ok, then the concern raised by Audit which references a notable payment service Security framework that "access to critical payment stations
must not be from the general enterprise tool" will mean we need to use firewall to block this Desktop Ctrl & SCCM tools & set up a dedicated tool (ie the tools must not be shared) to manage these 30 critical PCs
Avatar of sunhux

ASKER

There's a requirement by Audit that if we have "admin" access to these critical PCs, the accesses must be reviewed monthly.

That's why I disabled the local built-in administrator account (tho I have way to re-enable it back in the event of emergency by booting into Safe mode): there's no way to enable it back unless we boot up with a CD so Audit put this requirement of monthly reviewing local administrator after I disabled it.  Then they noticed there's a way to access these PCs via the tool to the command prompt and this is "SYSTEM" privilege.
Avatar of sunhux

ASKER

Actually booting up in Safe mode won't allow me to re-enable back Administrator unless I've done prior to disabling :
  copy c:\windows\system32\cmd.exe  c:\windows\system32\utilman.exe
Avatar of sunhux

ASKER

I can always disable remote access to these critical PCs from the tools but this is going to stop the EUS guys from patching & doing remote support for these 30 PCs.  

The concern from Audit is if these tools are compromised, hackers could remote access these critical PCs : we've heard numerous news of millions of dollars being rechannelled by hackers by compromising these critical payment PCs
For the management of critical services, it  should consider centralising administration such that there is a common jumphost that will have digital surveillance over the administrative activity traffic. That is the privileged identity management approach. But it is normally against backend server and for overseeing remote access, there should be multi factor authentication.

That again, the critical PC should have the harddisk encrypted and not allow to boot from external media and with bios password lockdown. The approach to re enable back seems a bypass as eventually it can still enable back admin without even login the machine. Suggest consider maintaining all administrator to be smartcard or 2FA enabled login and maintain audit trail to review account. Account Review is necessary regime.
You are throwing in new facts and thoughts. Until now, your question was simply
What's the impact/implications of disabling SYSTEM?
which has been answered thoroughly. You also asked
can it be disabled?

Which has been answered as well.
Then
Is it an interactive logon  or   this account doesn't allow Interactive logon?
Which has not been answered yet, but I can do that now: the system account is no normal interactive logon and you cannot logon with it even if you wanted. You can of course run processes as system if you already have administrative permissions - but that has no security implications.

The question about documentation - if you only search long enough, you might find some documentation saying the same, but I see no point in it. What you received as answers is common knowledge.
--------
That said, the question should be closed now and all new questions that arose at your side should deserve own threads here, if needed.
I am glad I could help.