The Windows operating system has a built-in administrator account. This account v. To prevent this, the built-in administrator account must be secured.
Disable and Rename Local Administrator Account
To protect the administrator account from brute-force attacks, you can disable the built-in administrator account, and if you cannot do this, you can rename it.
The easiest way to rename the built-in administrator account is use the group policies. Open the local (gpedit.msc) or domain (gpmc.msc) group policy editor and go to the next section of the console: Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options.
Pay attention to the two policies:
- Accounts: Administrator account status – allows you to lock an administrator account;
- Account: Rename administrator account – allows you to rename the built-in administrator account;
To rename an account, enable the policy (Define this policy settings) and set a new username. For example, localadminaccount.
Renaming will make the password brute-force process harder, since the attacker will have to first to know the account name, and then proceed to brute the password. Renaming an account improves security, but this measure is not effective enough. The administrator account has a well-known security identifier (SID) and there are ways that allow to authenticate with the SID and not the username.
Therefore, a more effective way to protect the administrator account is to disable it. To do this, enable the Accounts: Administrator account status policy and change its value to Disabled.
Deny to Log on Under the Local Administrator Account
It is difficult to restrict local administrator permissions in Windows, so to increase the protection level, you can deny local and/or remote login under a local administrator account. You can also use the GPO to do this. Go to section Computer Configuration > Policies > Windows Settings -> Security Settings > Local Policies > User Rights Assignment. Please note the following policies:
- Deny log on locally — allows you to disable local login;
- Deny log on through Remote Desktop Service — allows you to deny access using Remote Desktop Services (RDP);
- Deny access to this computer from the network — allows you to prevent certain accounts from accessing a computer over the network;
- Deny log on as a service — allows you to prevent a user from registering as a service. This permission allow Windows services to run in the background mode;
- Deny log on as a batch job — allows you to prevent the user from registering as a batch job (used by Task Scheduler and some other services).
You can enable any of these policies (or all at once) by ticking the ″Define this policy settings″ option and adding the Administrator account to the policy.
Microsoft recommends to disable all login methods for the local admin account except local login.
Finally, some important points:
- If you decided to disable the built-in administrator account, then don’t forget to create on your computer at least one user with administrative permissions:
- It is not recommended to apply these policies to domain controllers. The fact is that there are no local accounts on the DCs and the policies are applied to the administrator DSRM account. If this account is unavailable, you will not be able to log on to the domain controller in Active Directory restore mode;
- If you disable the administrator account rename policy, the account name may not change to the original one.