Secure the local administrator account in Windows

Did you know the Windows local administrator account is the only access someone needs to completely wreak havoc on your network? Locking down this account can go a long way toward securing your corporate systems. Mike Mullins offers some quick ways to better protect the local administrator account.

Worried about security issues? Who isn't? Automatically sign up for our free Security Solutions newsletter, delivered each Friday, and get hands-on advice for locking down your systems.

When it comes to an organization's systems, there's only one account that someone needs to gain access to in order to totally wreak havoc on the network. Traditionally known as the root account, the more familiar name for Windows administrators is the local administrator account.

This account definitely deserves special attention—it has total control over every computer connected to the domain. That means this account has access to every file and application on the network, and it can even grant itself the privilege to access a file if that permission doesn't exist.

Installing the Windows operating system automatically creates this account, and I promise you that every would-be hacker already knows the default name and password. Locking down this account can go a long way toward securing your corporate systems. Let's look at some quick ways to better protect the local administrator account.

Make the administrator account harder to access

Regardless of which version of Windows you're running, your first step is to change the account's name and assign it a strong, complex password. Of course, don't make the password so long or complicated that you'll need to write the combination on a sticky note and paste it in a "secret location." If you must write down these usernames and passwords, store them in a locked filing cabinet—and don't share the key.

Disable the administrator account

Making the login information more difficult to crack is a good first step, but you shouldn't stop there. It's a good idea to disable access to this account until you need it.

Why should you turn off the administrator account? You should treat it like any other service—if you don't need it, disable it. Disabling the local administrator account or not allowing the account to access a workstation or server over the network is a big blow to black hats who want to exploit this all-powerful account.

However, I have one caveat. Before you disable the administrative account on any workstation or server, make sure there's at least one other account that has administrative permissions, or you might not be able to undo the security you're about to apply.

Secure the administrator account in Windows 2000

Windows 2000 doesn't allow you to disable the administrator account. However, you can take steps to provide almost the same level of security as turning off this account. Follow these steps:

  1. Log on either as administrator or as a user with administrator permissions.
  2. Go to Start | Programs | Administrative Tools | Local Security Policy.
  3. In the Local Security Settings console, expand Local Policies, and select User Rights Assignment.
  4. Double-click Deny Access To This Computer From The Network.
  5. In the Security Policy Setting dialog box, click Add.
  6. In the Select Users Or Groups dialog box, select the administrator account, and click Add.
  7. Click OK twice, and close the Local Security Settings console.

Reboot the machine for the change to take effect.

Disable the administrator account in Windows XP and Windows Server 2003

To disable the local administrator account, follow these steps:

  1. Log on either as administrator or as a user with administrator permissions.
  2. Right-click My Computer, and select Manage.
  3. Expand Local Users And Groups, and select Users.
  4. Double-click Administrator.
  5. Select the Account Is Disabled check box, and click OK.
  6. Close the Computer Management console. The change will take effect after you log off the computer.

Final thoughts

Most administrators don't use the local administrator account. Instead, they perform most administrative functions using another account that has administrative privileges. Seldom, if ever, should administrators use the local account, and they should only use it over the network when it is absolutely unavoidable.

It's a good idea to begin auditing actions on your networks to establish the accountability of the people performing those actions. If everyone needs to use the local administrator account to perform daily tasks, then you definitely need to reevaluate the permissions and rights for those accounts and your network.

Mike Mullins has served as a database administrator and assistant network administrator for the U.S. Secret Service. He is a network security administrator for the Defense Information Systems Agency.

Editor's Picks

Free Newsletters, In your Inbox