Securing the Administrator Account in Microsoft Windows Systems
The Administrator account is a default account used in all versions of the Windows operating system. The Administrator account is used by system administrators for tasks that require administrative credentials. The Administrator account cannot be deleted or locked out, but the account can be renamed or disabled. The Administrator account has complete access (Full Control permissions) of files, directories, services, and other resources on a Microsoft Windows computer. The account can be used to create users, and assign user rights and access control permissions. The account can also be used to take control of resources at any time simply by changing the user rights and permissions. Although files and directories can be protected from the Administrator account temporarily, the Administrator account can take control of these resources at any time by changing the access permissions (TechNet Accounts, n.d.).
Since the Administrator account is so powerful, TechNet Accounts (n.d.) provides the following as security measures.
- Setting up an especially long, strong password, and securing Remote control and Remote Desktop Services profile settings.
- The Administrator account can be disabled or renamed to make it more difficult for attackers to gain access to the account. However, even if the account is disabled, it can still be used to gain access to a domain controller by using safe mode.
- On a domain controller, the Administrator account becomes the Domain Admin account. The Domain Admin account is used to sign in to the domain controller so the Administrator account requires a strong password.
When Active Directory is installed on the first domain controller in a domain, the Administrator account is created for Active Directory. The account is given domain-wide access and administrative rights to all the domain resources. For this reason special attention to securing the Administrator account, or disabling it, should be a priority consideration (TechNet Accounts, n.d.).
TechNet Accounts. (n.d.). Active Directory Accounts. Retrieved November 24, 2016, from