How to Secure Local Administrators in Windows

How to Secure Local Administrators in Windows?

The Windows operating system has a built-in administrator account. This account v. To prevent this, the built-in administrator account must be secured.

Disable and Rename Local Administrator Account

To protect the administrator account from brute-force attacks, you can disable the built-in administrator account, and if you cannot do this, you can rename it.

The easiest way to rename the built-in administrator account is use the group policies. Open the local (gpedit.msc) or domain (gpmc.msc) group policy editor and go to the next section of the console: Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options.

Pay attention to the two policies:

  • Accounts: Administrator account status – allows you to lock an administrator account;
  • Account: Rename administrator account – allows you to rename the built-in administrator account;

Rename Administrator Account

To rename an account, enable the policy (Define this policy settings) and set a new username. For example, localadminaccount.

Rename Local Administrator Account

Renaming will make the password brute-force process harder, since the attacker will have to first to know the account name, and then proceed to brute the password. Renaming an account improves security, but this measure is not effective enough. The administrator account has a well-known security identifier (SID) and there are ways that allow to authenticate with the SID and not the username.

Therefore, a more effective way to protect the administrator account is to disable it. To do this, enable the Accounts: Administrator account status policy and change its value to Disabled.

Rename Local Administrator Account windows

Deny to Log on Under the Local Administrator Account

It is difficult to restrict local administrator permissions in Windows, so to increase the protection level, you can deny local and/or remote login under a local administrator account. You can also use the GPO to do this. Go to section Computer Configuration > Policies > Windows Settings -> Security Settings > Local Policies > User Rights Assignment. Please note the following policies:

  • Deny log on locally — allows you to disable local login;
  • Deny log on through Remote Desktop Service — allows you to deny access using Remote Desktop Services (RDP);
  • Deny access to this computer from the network — allows you to prevent certain accounts from accessing a computer over the network;
  • Deny log on as a service — allows you to prevent a user from registering as a service. This permission allow Windows services to run in the background mode;
  • Deny log on as a batch job — allows you to prevent the user from registering as a batch job (used by Task Scheduler and some other services).

Rename Local Administrator Account windows pc

You can enable any of these policies (or all at once) by ticking the ″Define this policy settings″ option and adding the Administrator account to the policy.

Rename Local Administrator Account RDS

Microsoft recommends to disable all login methods for the local admin account except local login.

Finally, some important points:

  • If you decided to disable the built-in administrator account, then don’t forget to create on your computer at least one user with administrative permissions:
  • It is not recommended to apply these policies to domain controllers. The fact is that there are no local accounts on the DCs and the policies are applied to the administrator DSRM account. If this account is unavailable, you will not be able to log on to the domain controller in Active Directory restore mode;
  • If you disable the administrator account rename policy, the account name may not change to the original one.

You may also like:

Deploy LGPO with MDT 2013 Local Group Policy (LGPO) of computer is configured through gpedit.msc snap-in, which does not provide the possibility to export/import settings. That...
How to Login with a Local Account instead of Domai... This is something that we use every day. It is a short little trick to login with a local user account instead of a domain account. By default, when a...
Using PsExec to Run Commands Remotely The PsExec is an easy Windows utility to replace the telnet tool. It allows you to run programs and processes on remote systems, using all the feature...
How to Migrate User Profiles with User State Migra... One of the most popular tools to migrate user profiles from one Windows computer to another is the set of CLI utilities – User State Migration Tool (U...
How to Mount Windows Folder into VMware ESXi In this article we will take a look on how to connect a network folder from Windows 2012 R2 Server as a datastore on the VMware ESXi host and use it t...
  1. Posted by Christian Schroeder

Add Your Comment