The Administrator Account and Administrators Group
The Administrator account and Administrators group have unlimited rights on the system. Therefore, you need to carefully evaluate the membership of the Administrators group and take care of some other housekeeping related to the Administrator account:
If you are taking over the management of an existing system, you should change the Administrator account name and password immediately. You do not know who might have a password that would give them access to the account.
The Administrator account is often the target of attacks because of its well-known name. You should rename the Administrator account to an obscure name and create a "decoy" account called "Administrator" with no permissions. Intruders will attempt to break in to this decoy account instead of the real account.
Enable failed logons in the auditing system to detect attempts to log on to any account, including Administrator.
Look for unnecessary accounts that have Administrator status. Perhaps an intruder has created such an account as a backdoor into the system.
Review the membership of the Administrators group and the Domain Admins group. Remove all unnecessary users from this group.
If you have a large network that consists of multiple administrators, interview these administrators on a regular basis to evaluate their activities and need for Administrator status.
To protect against the loss of the Administrator, create a "backdoor" Administrator account with an obscure name and a three-part password. Give three people one part of this password. In the event that Administrator access is required, all three must be present to access the Administrator account.
The Administrators group has "Access this computer from network" right, which you can block to prevent account hijacking or unauthorized activities. Without this right, administrators must log on at the computer itself in a controlled environment to do any administrative tasks. You will also need to remove the right from the Everyone group then add back in accounts that are allowed to log on from network.
When a Windows NT Workstation computer is added to a domain, the Domain Admins group is added to the workstation's Administrators group. This gives any member of the Domain Admins group access to the workstation computer as well. Determine whether this is appropriate. You may need to remove the Domain Admins group at the workstation and add only a specific Administrator account.
Internet FAQ top