Disable The Administrator Account

Are your Administrator accounts enabled? You could consider a need to completely disable them. In the January 2006 edition of Microsoft's TechNet Magazine, Jesper Johansson, Security Program Manager at Microsoft, offers six points of advice regarding those accounts: Disable them, set a unique password, make that password long and unique or leave it blank, don't use the account, don't share details about the account, and don't rename it.

There are some caveats to this advice though. Johansson points out that "if you run Microsoft Small Business Server (SBS), you need the built-in Administrator account. That account is used by the OS after installation. SBS 2003 Service Pack 1 also will only apply properly if you run it as the built-in Administrator."

Here's another interesting tidbit that you might not already know, particularly if you still use the older Windows 2000 or Windows NT operating systems: Beginning with Windows XP, Administrator accounts with blank passwords can only be used for local system access -- e.g. they cannot be used for connectivity on the network. So of course if someone happens to gain access to the Administrator account they'll have to find another way to penetrate the rest of your network. Not that such a task is difficult to do once a person has Administrator access, but it does make the task much more difficult.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.