Debunking two myths about the Windows administrator account

by Michael "Mullins CCNA, MCP" | Mar 02, 2006 8:00:00 AM

Tags: Operating systems, Microsoft Windows Active Directory, Michael Mullins CCNA, MCP, administrator account, Microsoft Windows, SID, Security Solutions Newsletter

Takeaway: The administrator account has always been an appealing target for hackers, but the Window administrator account can be particularly problematic. While many people understand the important role this account plays in overall security, there are several misconceptions when it comes to locking it down. In this edition of Security Solutions, Mike Mullins debunks two of the biggest myths about this account.

When it comes to accessing accounts, the goal of every hacker is to get access to the administrator (or root) account. On Windows systems, this can especially present a problem—the administrator account comes with no password and an obvious default name ("administrator").

While many people understand the important role this account plays in overall security, there are several misconceptions when it comes to locking it down. Let's take a look at the perception and the reality of two of the biggest myths about the Windows administrator account.

Myth: Renaming this account prevents hackers from finding it

Windows 2000: This is false. The Windows 2000 administrator account has a default security identifier (SID) that ends in -500. Hackers can target this account by enumerating SIDs from Active Directory or the local SAM.

However, you can disable the ability to enumerate SIDs in your domain. Follow these steps:

1. Open the Active Directory Users And Computers console.
2. Right-click the domain, and select Properties.
3. On Group Policy tab, click the Default Domain Policy, and select Edit.
4. Drill-down to Computer Configuration | Windows Settings | Security Settings | Local Policies | Security Options.
5. Double-click Additional Restrictions For Anonymous Connections, and select the Define This Policy option.
6. Select Do Not Allow Enumeration Of SAM Accounts And Shares from the drop-down list.
7. Click OK, and close the console.
8. Go to Start | Run, enter cmd, and click OK.
9. At the command prompt, enter gpupdate, press [Enter], enter exit, and press [Enter].

Windows Server 2003: This is true. Windows Server 2003 allows you to completely disable the built-in administrator account. But before disabling the account, you should still disable enumeration of SIDs.

You can do so by following the steps above, with one exception: Double-click Network Access (instead of Additional Restrictions For Anonymous Connections), select Allow Anonymous SID/Name Translation, and make sure you've disabled the policy.

In addition, before you disable the administrator account, you should create a new administrator account. Then, follow these steps to disable the old account:

1. Log on with the new administrator account, open the Active Directory Users And Computers console, and select the Users container.
2. Right-click the name of the default administrator account, and click Properties.
3. On the Account tab, select the Account Is Disabled check box under Account Options, and click OK.

Now, the only account with full administrative rights has a name known only to you—and hackers can't enumerate SIDS to find it!

Myth: You can't lock out the account after failed logon attempts

Windows 2000: This is false. If you've set the security option for account lockout, you can lock out this account for network logons. (This doesn't apply to interactive or console logons.)

To configure this account to lock out after x number of failed logon attempts, you need a tool called Passprop.exe. You can find this utility in the Netmgmt.cab file on the Windows 2000 Professional Resource Kit or the Windows 2000 Server Resource Kit.

Windows Server 2003: This is also false! Like Windows 2000, you can use the Passprop.exe utility to set the administrator account to lock out after x number of failed logon attempts.

However, keep in mind that the Windows Server 2003 version of this utility will also lock out the default administrator account (both network and interactive) after x number of failed logons. Make sure you have a backup method for unlocking this account.

Final thoughts

Account security is at the heart of basic security administrative best practices. That's why it's vital that you implement this security and keep your administrative rights secure.

Miss a column?

Check out the Security Solutions Archive, and catch up on the most recent editions of Mike Mullins' column.

Worried about security issues? Who isn't? Automatically sign up for our free Security Solutions newsletter, delivered each Friday, and get hands-on advice for locking down your systems.

Mike Mullins has served as an assistant network administrator and a network security administrator for the U.S. Secret Service and the Defense Information Systems Agency. He is currently the director of operations for the Southern Theater Network Operations and Security Center.

Print/View all Posts Comments on this article

GpUpdate is a Windows XP tool pete.cook | 03/02/06

GpUpdate tool paul@... | 03/03/06

Correct Mike Mullins | 03/03/06

Remove Administrators rights puterfx | 03/04/06

Snaring The Hacks ramjet@... | 03/13/06

Same here dmont | 04/10/06

Monitor how? twoclones@... | 02/23/07

Through event viewer... JCitizen | 02/23/07

admin monitoring Nels | 03/06/07

WinXP computab | 03/03/06

WinXP computab | 03/03/06

Most XP Home and quite a few XP Pro machines AmberHaze | 03/06/06

A good option. shardeth | 02/23/07

Semantics, perhaps, but... EJHonda | 03/03/06

null Mike Mullins | 03/03/06

Thanks EJHonda | 03/03/06

Disabling anonymous SID enumeration gshollingsworth | 03/21/06

Win XP asks jdw242 | 03/03/06

it asks, but does not require jsloan1223 | 03/03/06

no need for admin pwd while deploying WinX/WXP etc. progroupsystems | 02/23/07

SBS 2003 donnie@... | 03/04/06

Rename all admin accounts & DIsable SIDEnum Bose | 02/23/07