Skip navigation

Securing the Windows XP Administrator Account

I realize that risks are associated with the built-in Administrator account. Should I disable the account?

You're right to be worried about the Administrator account. Each Windows computer has an Administrator account that's all-powerful and known to attackers. You can't delete Administrator, nor does Windows lock out the account after repeated logon attempts with a bad password. Windows 2000 and earlier don't let you disable Administrator. Windows Server 2003 and Windows XP allow you to disable the account, but be careful about doing so. If all a computer's accounts become locked out or if the computer loses its membership in the domain, Administrator might be your only way to log on to the computer. For these reasons, Administrator is a big target for attackers.

To lessen the risk of attack, I recommend the following steps. First, rename Administrator to something less obvious such as homer or cell32. Delete the description of the account, which identifies it as the built-in Administrator account. An intruder can still discover the account by using tools such as Winfo, but you can gain some security through obscurity.

Next, create a decoy account named Administrator and give it the description that the real Administrator account typically has. Make sure this account has no authority by creating a dummy group and making the dummy group the decoy's primary group. Delete the decoy from any other groups such as Domain Users. Disable the decoy.

Finally, grant the Access this computer from the network and, if XP or later, Deny logon through Terminal Services user rights to the renamed Administrator account. (You'll find user rights assignments in Local Security Policy under Security Settings\
Local Policies\User Rights Assign
ment.) By granting the account these two rights, you prevent it from being used by attackers elsewhere on the network, even if they succeed in guessing the account's password. The account is useful only for interactive logons at the computer's console. Note that Windows automatically blocks administrator accounts with blank passwords from logging on in any way except at the console.

Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish