How to Secure Local Administrators in Windows?

The Windows operating system has a built-in administrator account. This account v. To prevent this, the built-in administrator account must be secured.

Disable and Rename Local Administrator Account

To protect the administrator account from brute-force attacks, you can disable the built-in administrator account, and if you cannot do this, you can rename it.

The easiest way to rename the built-in administrator account is use the group policies. Open the local (gpedit.msc) or domain (gpmc.msc) group policy editor and go to the next section of the console: Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options.

Pay attention to the two policies:

  • Accounts: Administrator account status – allows you to lock an administrator account;
  • Account: Rename administrator account – allows you to rename the built-in administrator account;

Rename Administrator Account

To rename an account, enable the policy (Define this policy settings) and set a new username. For example, localadminaccount.

Rename Local Administrator Account

Renaming will make the password brute-force process harder, since the attacker will have to first to know the account name, and then proceed to brute the password. Renaming an account improves security, but this measure is not effective enough. The administrator account has a well-known security identifier (SID) and there are ways that allow to authenticate with the SID and not the username.

Therefore, a more effective way to protect the administrator account is to disable it. To do this, enable the Accounts: Administrator account status policy and change its value to Disabled.

Rename Local Administrator Account windows

Deny to Log on Under the Local Administrator Account

It is difficult to restrict local administrator permissions in Windows, so to increase the protection level, you can deny local and/or remote login under a local administrator account. You can also use the GPO to do this. Go to section Computer Configuration > Policies > Windows Settings -> Security Settings > Local Policies > User Rights Assignment. Please note the following policies:

  • Deny log on locally — allows you to disable local login;
  • Deny log on through Remote Desktop Service — allows you to deny access using Remote Desktop Services (RDP);
  • Deny access to this computer from the network — allows you to prevent certain accounts from accessing a computer over the network;
  • Deny log on as a service — allows you to prevent a user from registering as a service. This permission allow Windows services to run in the background mode;
  • Deny log on as a batch job — allows you to prevent the user from registering as a batch job (used by Task Scheduler and some other services).

Rename Local Administrator Account windows pc

You can enable any of these policies (or all at once) by ticking the ″Define this policy settings″ option and adding the Administrator account to the policy.

Rename Local Administrator Account RDS

Microsoft recommends to disable all login methods for the local admin account except local login.

Finally, some important points:

  • If you decided to disable the built-in administrator account, then don’t forget to create on your computer at least one user with administrative permissions:
  • It is not recommended to apply these policies to domain controllers. The fact is that there are no local accounts on the DCs and the policies are applied to the administrator DSRM account. If this account is unavailable, you will not be able to log on to the domain controller in Active Directory restore mode;
  • If you disable the administrator account rename policy, the account name may not change to the original one.
I enjoy technology and developing websites. Since 2012 I'm running a few of my own websites, and share useful content on gadgets, PC administration and website promotion.
Cyril Kardashevsky

One comment

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.