sunhux
asked on
Disabling Windows SYSTEM account
We disabled local administrator account (which we rarely use & we'll boot from CD to enable it back when needed).
Audit now asks: there are 30 very critical PCs : can we also disable the SYSTEM account (which I think
Desktop Central or possibly SCCM) uses?
What's the impact/implications of disabling SYSTEM?
can it be disabled? Is it an interactive logon or this account doesn't allow Interactive logon?
Any MS or authoritative links recommending not to disable/delete it?
Audit now asks: there are 30 very critical PCs : can we also disable the SYSTEM account (which I think
Desktop Central or possibly SCCM) uses?
What's the impact/implications of disabling SYSTEM?
can it be disabled? Is it an interactive logon or this account doesn't allow Interactive logon?
Any MS or authoritative links recommending not to disable/delete it?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Not "not advisable"... not possible. :-)
Yup thanks McKnife.
ASKER
Can provide a couple of MS links so that I can show to auditor
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
The auditor will know. Any admin has to know.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
No auditor will need an explanation. OR, The auditor does not know their trade.
That is why auditor need to ask the right question in right context. My post is specific to another context - so what are they really looking out to audit - have they even saw it disabled before and machine is working fine.
ASKER
Ok, then the concern raised by Audit which references a notable payment service Security framework that "access to critical payment stations
must not be from the general enterprise tool" will mean we need to use firewall to block this Desktop Ctrl & SCCM tools & set up a dedicated tool (ie the tools must not be shared) to manage these 30 critical PCs
must not be from the general enterprise tool" will mean we need to use firewall to block this Desktop Ctrl & SCCM tools & set up a dedicated tool (ie the tools must not be shared) to manage these 30 critical PCs
ASKER
There's a requirement by Audit that if we have "admin" access to these critical PCs, the accesses must be reviewed monthly.
That's why I disabled the local built-in administrator account (tho I have way to re-enable it back in the event of emergency by booting into Safe mode): there's no way to enable it back unless we boot up with a CD so Audit put this requirement of monthly reviewing local administrator after I disabled it. Then they noticed there's a way to access these PCs via the tool to the command prompt and this is "SYSTEM" privilege.
That's why I disabled the local built-in administrator account (tho I have way to re-enable it back in the event of emergency by booting into Safe mode): there's no way to enable it back unless we boot up with a CD so Audit put this requirement of monthly reviewing local administrator after I disabled it. Then they noticed there's a way to access these PCs via the tool to the command prompt and this is "SYSTEM" privilege.
ASKER
Actually booting up in Safe mode won't allow me to re-enable back Administrator unless I've done prior to disabling :
copy c:\windows\system32\cmd.ex e c:\windows\system32\utilma n.exe
copy c:\windows\system32\cmd.ex
ASKER
I can always disable remote access to these critical PCs from the tools but this is going to stop the EUS guys from patching & doing remote support for these 30 PCs.
The concern from Audit is if these tools are compromised, hackers could remote access these critical PCs : we've heard numerous news of millions of dollars being rechannelled by hackers by compromising these critical payment PCs
The concern from Audit is if these tools are compromised, hackers could remote access these critical PCs : we've heard numerous news of millions of dollars being rechannelled by hackers by compromising these critical payment PCs
For the management of critical services, it should consider centralising administration such that there is a common jumphost that will have digital surveillance over the administrative activity traffic. That is the privileged identity management approach. But it is normally against backend server and for overseeing remote access, there should be multi factor authentication.
That again, the critical PC should have the harddisk encrypted and not allow to boot from external media and with bios password lockdown. The approach to re enable back seems a bypass as eventually it can still enable back admin without even login the machine. Suggest consider maintaining all administrator to be smartcard or 2FA enabled login and maintain audit trail to review account. Account Review is necessary regime.
That again, the critical PC should have the harddisk encrypted and not allow to boot from external media and with bios password lockdown. The approach to re enable back seems a bypass as eventually it can still enable back admin without even login the machine. Suggest consider maintaining all administrator to be smartcard or 2FA enabled login and maintain audit trail to review account. Account Review is necessary regime.
You are throwing in new facts and thoughts. Until now, your question was simply
Which has been answered as well.
Then
The question about documentation - if you only search long enough, you might find some documentation saying the same, but I see no point in it. What you received as answers is common knowledge.
--------
That said, the question should be closed now and all new questions that arose at your side should deserve own threads here, if needed.
What's the impact/implications of disabling SYSTEM?which has been answered thoroughly. You also asked
can it be disabled?
Which has been answered as well.
Then
Is it an interactive logon or this account doesn't allow Interactive logon?Which has not been answered yet, but I can do that now: the system account is no normal interactive logon and you cannot logon with it even if you wanted. You can of course run processes as system if you already have administrative permissions - but that has no security implications.
The question about documentation - if you only search long enough, you might find some documentation saying the same, but I see no point in it. What you received as answers is common knowledge.
--------
That said, the question should be closed now and all new questions that arose at your side should deserve own threads here, if needed.
I am glad I could help.
You want to disable the account that the OS itself uses? Not possible.