Disabling Windows SYSTEM account

We disabled local administrator account (which we rarely use & we'll boot from CD to enable it back when needed).

Audit now asks: there are 30 very critical PCs : can we also disable the SYSTEM account (which I think
Desktop Central or possibly SCCM) uses?  

What's the impact/implications of disabling SYSTEM?

can it be disabled?   Is it an interactive logon  or   this account doesn't allow Interactive logon?

Any MS or authoritative links recommending not to disable/delete it?
sunhuxAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

McKnifeCommented:
LOL!

You want to disable the account that the OS itself uses? Not possible.
0
Hello ThereSystem AdministratorCommented:
Well, you cannot do it. Leave this idea. Microsoft knows why there is no such an option.

The system account is used by the operating system and by services that run under Windows. There are many services and processes within Windows that need the capability to log on internally (for example during a Windows installation). The system account was designed for that purpose; it is an internal account, does not show up in User Manager, cannot be added to any groups, and cannot have user rights assigned to it. On the other hand, the system account does show up on an NTFS volume in File Manager in the Permissions portion of the Security menu.
1
LBTechSolOperations DirectorCommented:
Better option that Microsoft suggests is LAPS for managing the local administration account. Take a look LAPS

As McKnife says - you cant disable the system account without braking things
0
How do you know if your security is working?

Protecting your business doesn’t have to mean sifting through endless alerts and notifications. With WatchGuard Total Security Suite, you can feel confident that your business is secure, meaning you can get back to the things that have been sitting on your to-do list.

JohnBusiness Consultant (Owner)Commented:
Agree NO you cannot disable this. Any why are you using "administrator" Another NO, NO.  Disable it and leave disabled. Do not enable it.

Please just use Windows as it was intended. It works better this way.
1
btanExec ConsultantCommented:
Not advisable please.
  1. The system account and the administrator account (Administrators group) have the same file privileges, but they have different functions.
  2. The system account is used by the operating system and by services that run under Windows. There are many services and processes within Windows that need the capability to log on internally (for example during a Windows installation).
  3. By default, the system account is granted full control to all files on an NTFS volume. Here the system account has the same functional privileges as the administrator account.
Granting either account Administrators group file permissions does not implicitly give permission to the system account. The system account's permissions can be removed from a file but it is not recommended.
1
McKnifeCommented:
Not "not advisable"... not possible. :-)
0
btanExec ConsultantCommented:
Yup thanks McKnife.
0
sunhuxAuthor Commented:
Can provide a couple of MS links so that I can show to auditor
0
Hello ThereSystem AdministratorCommented:
Yes. Here is the explanation: http://support.microsoft.com/kb/120929/en-us
1

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
McKnifeCommented:
The auditor will know. Any admin has to know.
0
btanExec ConsultantCommented:
NOTE: Granting either account Administrators group file permissions does not implicitly give permission to the system account. The system account's permissions can be removed from a file but it is not recommended.
https://support.microsoft.com/en-us/help/120929/how-the-system-account-is-used-in-windows
1
McKnifeCommented:
"The system account's permissions can be removed from a file but it is not recommended." - this question is not about ACLs, but about deactivating the account - which is not possible. Sunhux, this will not show up in any documentation, but it's simply logical: deactivating the system account will keep system services from starting which are vital for the OS, not to say critical - the whole OS cannot run without.

There is a reason, why I wrote "LOL", because this idea is already so funny... no one familiar with system internals will have it. No auditor will need an explanation.
1
JohnBusiness Consultant (Owner)Commented:
No auditor will need an explanation.    OR,  The auditor does not know their trade.
0
btanExec ConsultantCommented:
That is why auditor need to ask the right question in right context. My post is specific to another context - so what are they really looking out to audit - have they even saw it disabled before and machine is working fine.
0
sunhuxAuthor Commented:
Ok, then the concern raised by Audit which references a notable payment service Security framework that "access to critical payment stations
must not be from the general enterprise tool" will mean we need to use firewall to block this Desktop Ctrl & SCCM tools & set up a dedicated tool (ie the tools must not be shared) to manage these 30 critical PCs
0
sunhuxAuthor Commented:
There's a requirement by Audit that if we have "admin" access to these critical PCs, the accesses must be reviewed monthly.

That's why I disabled the local built-in administrator account (tho I have way to re-enable it back in the event of emergency by booting into Safe mode): there's no way to enable it back unless we boot up with a CD so Audit put this requirement of monthly reviewing local administrator after I disabled it.  Then they noticed there's a way to access these PCs via the tool to the command prompt and this is "SYSTEM" privilege.
0
sunhuxAuthor Commented:
Actually booting up in Safe mode won't allow me to re-enable back Administrator unless I've done prior to disabling :
  copy c:\windows\system32\cmd.exe  c:\windows\system32\utilman.exe
0
sunhuxAuthor Commented:
I can always disable remote access to these critical PCs from the tools but this is going to stop the EUS guys from patching & doing remote support for these 30 PCs.  

The concern from Audit is if these tools are compromised, hackers could remote access these critical PCs : we've heard numerous news of millions of dollars being rechannelled by hackers by compromising these critical payment PCs
0
btanExec ConsultantCommented:
For the management of critical services, it  should consider centralising administration such that there is a common jumphost that will have digital surveillance over the administrative activity traffic. That is the privileged identity management approach. But it is normally against backend server and for overseeing remote access, there should be multi factor authentication.

That again, the critical PC should have the harddisk encrypted and not allow to boot from external media and with bios password lockdown. The approach to re enable back seems a bypass as eventually it can still enable back admin without even login the machine. Suggest consider maintaining all administrator to be smartcard or 2FA enabled login and maintain audit trail to review account. Account Review is necessary regime.
1
McKnifeCommented:
You are throwing in new facts and thoughts. Until now, your question was simply
What's the impact/implications of disabling SYSTEM?
which has been answered thoroughly. You also asked
can it be disabled?

Which has been answered as well.
Then
Is it an interactive logon  or   this account doesn't allow Interactive logon?
Which has not been answered yet, but I can do that now: the system account is no normal interactive logon and you cannot logon with it even if you wanted. You can of course run processes as system if you already have administrative permissions - but that has no security implications.

The question about documentation - if you only search long enough, you might find some documentation saying the same, but I see no point in it. What you received as answers is common knowledge.
--------
That said, the question should be closed now and all new questions that arose at your side should deserve own threads here, if needed.
1
Hello ThereSystem AdministratorCommented:
I am glad I could help.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows OS

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.