Re: best practices: builtin administrator account in AD

From: Roger Abell (mvpNOSpam_at_asu.edu)
Date: 05/25/05 

Date: Wed, 25 May 2005 08:26:31 -0700

additionally . . .
While it will not stop login attempts if authentication interfaces are
exposed to where you believe these threats would arise . . .
it is possible to just deny network login to even the built-in admin
account, restricting it to local login usage, but be aware that this does
not control connection to most services, but would stop such as use of
the administrative shares. 

-- 
Roger Abell
Microsoft MVP (Windows  Security)
MCSE (W2k3,W2k,Nt4)  MCDBA
"mocity" <mocity@discussions.microsoft.com> wrote in message
news:EB7BFBE9-A467-4BC3-8F1F-6284EF9A3DE9@microsoft.com...
> Hi,
> I understand that renaming the builtin AD administrator account is a good
> idea, but is disabling this account and additional good security measure?
I
> would have no problem disabling this account, except for the fact if all
> other Domain Administrative accounts got locked out I would have no way of
> logging to the domain with admin privileges except through rebooting a DC
> into Safe Mode which enables the builtin administrator account---but this
> would be a hassle. (i'm sort of paranoid of a scenario where a malicious
user
> locked out all my admin accounts, and me having to do this).
> is having this account enabled a security risk, because it cannot be
locked
> and thus gives a person infinite attempts at cracking the password?
> thanks.

Relevant Pages

  • Re: Want to restrict teenagers ability to download programs etc
    ... The standard security practice is to rename the account, set a strong password on it, and use it only to create another account for regular use, reserving the Administrator account as a "back door" in case something corrupts your regular account. ... HOW TO Use the Internet Explorer 6 Content Advisor to Control Access ...
    (microsoft.public.windowsxp.security_admin)
  • Re: How to disable login after too many attempts
    ... >> after hours to unlock an account when some manager can't get in because ... So start writing cron scripts to scan for failed login attempts. ... Sounds like you need to hire a security specialist to review your ... It's also standard for health sites and bank sites. ...
    (comp.unix.admin)
  • Re: Can not figure out why?
    ... If you changed the account name without re-establishing all of your network sessions the PC where you logged in is going to be sending cached credentials that conflict with what's now stored on the domain controllers. ... Want some good security information? ... > Logon Failure: ... > I checked all service and none of service uses administrator account ...
    (microsoft.public.windows.server.active_directory)
  • Re: What is wrong with Outlook Express to receive my Hotmail emails recently?
    ... Once you login and get ... >>> past the intervening security page, logins should work for awhile (until ... >>> in when not using the webmail interface). ... >>> account got grandfathered in to allow continued WebDAV access, ...
    (microsoft.public.windows.inetexplorer.ie6_outlookexpress)
  • Re: Serious Security & Administrative issue!!!!
    ... capability [including file encryption and a boatload of security policies] to be ... The concept of the built in administrator account is ... if that account is only available in safe mode then hackers can not use it ...
    (microsoft.public.security)