Securing the Administrator Account

Steps to Securing the Local Administrator account:

  1. First, rename the account to something ordinary – definitely not “Admin” or “Root”, or something that gives the account’s function away.  Also, don’t name it something that attracts attention to it (like BigDog, Superman, or 09hTYrXXvZ34!), but something resembling a normal user name, something that may go unnoticed.  Change the account’s description property as well.  There are tools that can read the account’s description and provide potential hackers with information they need to figure out which account is the true administrator.
  2. Set a long, complex password for this account.  Don’t give the password out to anyone, even folks with administrator duties, unless absolutely necessary.  Control access to the account name and password by locking the information in a secure area, like a safe, and have anyone that needs access to it log it in and sign for it.  This will control who has access to it and why.  Also, change this password periodically, as well.
  3. Create a dummy account with no privileges and name it administrator, and copy the description from the true administrator account. Set a long complex password for it as well.   This will create a false trail for anyone casually looking for the admin account, but since it has no privileges, it won’t do them any good.
  4. Set up auditing on the machine(s) and regularly check for any usage of the true admin account you’ve just hidden and the dummy one.  Although we won’t go into auditing extensively here, it’s a good idea to audit both the successes and failures of four key events when watching for these accounts:  Account Logon, Account Management, Logon, and Privilege Use.  Any failures (or successes, for that matter) that show up for these two accounts means that someone is trying to use the true admin account for what may be unauthorized purposes.  If you are having trusted administrators log their use of this account, tracking these actions is much easier.
  5. Finally, deny local login access to the built-in local administrator account from across the network. This can be done through Active Directory Group Policy or through the Local Policy MMC that resides on the local computer.  This prevents someone from using the local administrator account remotely. The account can only be used to log in locally (if at all), so it can’t be used for any remote attacks.

Of course, there are still ways for a would-be hacker to get your administrative account name, if they have the time and resources.  For example, there are numerous tools out in the world that a hacker can use to enumerate a domain’s Security Identifiers (SID) and map those back to a particular account.  The SID for the true administrator account always ends in 500 on a Windows box.  If a hacker has the means to enumerate your SIDs and account names, it’s not too much trouble to figure out that a user account named DoeJ with a SID ending in 500 is, in fact, the true administrator.  This renders steps 1 and 3 above somewhat ineffective to a very knowledgeable and determined hacker.  That’s why auditing this account’s usage is so important as well

Although beyond the scope of this article, this enumeration tactic can be stopped as well by restricting anonymous access to your machines through Group or Local Computer policy.