Questions

Changing the built-in "Administrator username"? How Safe Is It??

+
0 Votes
Locked

Changing the built-in "Administrator username"? How Safe Is It??

IT Support Desk
Hi:
Has anyone encountered any drawbacks to changing the built-in "administrator" username account to a different name? Yes, we do have additional accounts setup with administrative privileges applied and I realize we can simply add an additional username, assign it admin privileges and call it good but, we are working with a particular client that has a need for increased security and changing the administrator's username to another name is being considered. Firewall appliances made by Cisco and SonicWall have this capability to change its primary admin account to another name. Is it safe to do the same with the built-in administrator account or are their known quirks with Microsoft's Active Directory when doing so? Thank you advance.
  • +
    0 Votes

    So

    Jacky Howe

    long as there are no services that rely on the Account. That can be a problem. Here is an interesting tip.

    http://www.windowsnetworking.com/nt/atips/atips40.shtml

    +
    0 Votes
    OldER Mycroft

    Intrinsically, what you are suggesting is like removing the solid rocket boosters from the Space Shuttle, replacing them with LandRover 4x4 engines (because you know within yourself, they can do the same job).

    Can they?

    You are actually attempting to remove the lintel above the major WINDOW - perhaps above ALL the WINDOWS!

    If the building then comes crashing down do you want somewhere that you can come back to and say ~~~ BUT YOU TOLD ME I COULD DO IT!

    :::::::::::::

    I would ask you, WHY do you want to change the name of the Administrator?

    If you are employed by a Megalomaniac, I suggest you get out now! Before the building comes crashing down!

    M$ microcode is not really something to start messing with.

    ***Just a personal opinion, you understand ~ but 'Administrator' is something I've seen changed - but the resultant problems have never been explained!

    <Protocol>

    +
    0 Votes

    eh?

    I've always changed the name of the Administrator account as a security best practice. I've never had any problems result from that.

    +
    0 Votes
    TonytheTiger

    It's only a convenience to us humans. The SID for the Administrator always starts with S-1-5- and end with -500 and can thus be found by anyone who really wants to know, no matter what the "name" is.

    I'd recommend simply "disable" the administrator account (after creating another user and adding it to the administrators group, of course).

    +
    0 Votes
    IT Support Desk

    from experts-exchange. Perhaps changing the username will work afterall.
    Funny thing is, I remember changing the built-in admin account on a Windows 2000 server a couple of years ago and noticed a number of services failing. I would think as "bright" as MS is, they would encourage this w/out reeking havoc on the system for OVERALL SECURITY. Afterall, wouldn't security be in their best interests as well? Nevermind. Don't answer that.

    +
    0 Votes
    TonytheTiger

    remove "Administrator" from the administrators group as well :)

    +
    0 Votes
    jdclyde

    After you rename the admin account, create a NEW account by that name, but give it NO permissions.

    Turn logging on for that account, and you will know if someone is trying to hack the system.

    +
    0 Votes
    LiamE

    Good idea. I'll start doing that I think.

    +
    0 Votes
    IT Support Desk

    Logging/auditing was already activated.

    +
    0 Votes
    jdclyde

    as this is now a dummy account that should NEVER be logged into, ANY activity will show up.

    Lets you know if someone is trying to get into the admin account.

  • +
    0 Votes

    So

    Jacky Howe

    long as there are no services that rely on the Account. That can be a problem. Here is an interesting tip.

    http://www.windowsnetworking.com/nt/atips/atips40.shtml

    +
    0 Votes
    OldER Mycroft

    Intrinsically, what you are suggesting is like removing the solid rocket boosters from the Space Shuttle, replacing them with LandRover 4x4 engines (because you know within yourself, they can do the same job).

    Can they?

    You are actually attempting to remove the lintel above the major WINDOW - perhaps above ALL the WINDOWS!

    If the building then comes crashing down do you want somewhere that you can come back to and say ~~~ BUT YOU TOLD ME I COULD DO IT!

    :::::::::::::

    I would ask you, WHY do you want to change the name of the Administrator?

    If you are employed by a Megalomaniac, I suggest you get out now! Before the building comes crashing down!

    M$ microcode is not really something to start messing with.

    ***Just a personal opinion, you understand ~ but 'Administrator' is something I've seen changed - but the resultant problems have never been explained!

    <Protocol>

    +
    0 Votes

    eh?

    I've always changed the name of the Administrator account as a security best practice. I've never had any problems result from that.

    +
    0 Votes
    TonytheTiger

    It's only a convenience to us humans. The SID for the Administrator always starts with S-1-5- and end with -500 and can thus be found by anyone who really wants to know, no matter what the "name" is.

    I'd recommend simply "disable" the administrator account (after creating another user and adding it to the administrators group, of course).

    +
    0 Votes
    IT Support Desk

    from experts-exchange. Perhaps changing the username will work afterall.
    Funny thing is, I remember changing the built-in admin account on a Windows 2000 server a couple of years ago and noticed a number of services failing. I would think as "bright" as MS is, they would encourage this w/out reeking havoc on the system for OVERALL SECURITY. Afterall, wouldn't security be in their best interests as well? Nevermind. Don't answer that.

    +
    0 Votes
    TonytheTiger

    remove "Administrator" from the administrators group as well :)

    +
    0 Votes
    jdclyde

    After you rename the admin account, create a NEW account by that name, but give it NO permissions.

    Turn logging on for that account, and you will know if someone is trying to hack the system.

    +
    0 Votes
    LiamE

    Good idea. I'll start doing that I think.

    +
    0 Votes
    IT Support Desk

    Logging/auditing was already activated.

    +
    0 Votes
    jdclyde

    as this is now a dummy account that should NEVER be logged into, ANY activity will show up.

    Lets you know if someone is trying to get into the admin account.