Securing the Administrator Account

The most powerful account on any Windows machine is the local administrator account. Anyone having access to this account pretty much has the keys to the castle, as far as Windows machines go.  (Note: Although domain controllers don’t have a local administrator account per se, the domain administrator account that resides on them is effectively the same thing.)     Even on a Windows box joined to a domain, the local admin account is sometimes even more powerful than the domain administrator account, simply because the local administrator can remove the domain admin account out of the computer’s local administrators group at any time and effectively take away a domain admin’s privileges on a machine. (Of course, there are ways to prevent that from happening as well, usually through the use of Group Policy.)   The only account that is more powerful on the local machine is the built-in SYSTEM account.  With the local administrator account, any action that can be taken on the machine can be accomplished with its privileges, including creating users, adding or removing resources, managing the network, and so forth. That’s why it’s definitely necessary to secure it.

With this in mind, there some generally accepted things you should do to secure this account.  These steps are equally effective on both Windows 2000 and XP workstations as well as the Windows family of server operating systems.  Keep in mind also that you may not want to take these measures on every single workstation and server on your network, maybe just those that are of particular value or have a high risk factor associated with the information they contain.  Of course, a word of caution is in order: applying these security measures to your machine or domain may increase your security, but also may cause reduced functionality of certain applications if they were set up to rely on the local administrator account to function.  As always, test these security measures on a test box or lab network and make sure they don’t break anything before implementing them in your live network. (Note:  Some of these steps can be applied to domain and enterprise administrator accounts as well, to better secure them).