Due to turnover in our IT shop we are trying to tighten up security. The first order of business is to do something with out Administrator account. The Administrator account was renamed a long time ago to a name within the naming scheme of the rest of the users. Since all of the people who left our shop know this account, what is the best way to change this? Should I rename the account and give it a new password, or should I copy the account. My concern is that if I rename the account I will cause problems for any server applications that are relying on it. What is recommended in this scenario?
Also, I want to change the username and password for the local admin account throughout the domain. Procedure for this please.
> Due to turnover in our IT shop we are trying to tighten up security. The > first order of business is to do something with out Administrator account. > The Administrator account was renamed a long time ago to a name within the > naming scheme of the rest of the users. Since all of the people who left > our shop know this account, what is the best way to change this? Should I > rename the account and give it a new password, or should I copy the > account. My concern is that if I rename the account I will cause problems > for any server applications that are relying on it. What is recommended in > this scenario?
> Also, I want to change the username and password for the local admin > account throughout the domain. Procedure for this please.
no server app should rely on the built in Administrator account. you should rename it, give it a new strong password, then create a new more limited account to use for apps that need to login on the server. You should also go through and clean out any old accounts that may not be needed, change the passwords on any that shouldn't be used by users, etc. If any of the old administrators left under unfriendly terms you should also check for ports that are open that shouldn't be, apps running that you don't recognize, do a good scan for viruses and trojans, and do a full backup asap just in case one of them gets back in and tries to wipe out something important.
Rename it back to "Administrator" and set a long passphrase on it.
Changing account names is just security theater. Names are intended to be public, there is no mechanism in place to prevent discovery of names. So don't treat such elements as secrets. The secret in a set of credentials is the password.
> Due to turnover in our IT shop we are trying to tighten up security. The > first order of business is to do something with out Administrator account. > The Administrator account was renamed a long time ago to a name within the > naming scheme of the rest of the users. Since all of the people who left > our shop know this account, what is the best way to change this? Should I > rename the account and give it a new password, or should I copy the > account. My concern is that if I rename the account I will cause problems > for any server applications that are relying on it. What is recommended in > this scenario?
> Also, I want to change the username and password for the local admin > account throughout the domain. Procedure for this please.
> "Jeff" <topni...@hotmail.com.discuss> wrote in message > news:Owc49y%23vHHA.4640@TK2MSFTNGP03.phx.gbl... >> Due to turnover in our IT shop we are trying to tighten up security. The >> first order of business is to do something with out Administrator >> account. The Administrator account was renamed a long time ago to a name >> within the naming scheme of the rest of the users. Since all of the >> people who left our shop know this account, what is the best way to >> change this? Should I rename the account and give it a new password, or >> should I copy the account. My concern is that if I rename the account I >> will cause problems for any server applications that are relying on it. >> What is recommended in this scenario?
>> Also, I want to change the username and password for the local admin >> account throughout the domain. Procedure for this please.
> no server app should rely on the built in Administrator account. you > should rename it, give it a new strong password, then create a new more > limited account to use for apps that need to login on the server. You > should also go through and clean out any old accounts that may not be > needed, change the passwords on any that shouldn't be used by users, etc. > If any of the old administrators left under unfriendly terms you should > also check for ports that are open that shouldn't be, apps running that > you don't recognize, do a good scan for viruses and trojans, and do a full > backup asap just in case one of them gets back in and tries to wipe out > something important.
Exactly. But further, the actual administrator account should be used as little as possible and the password should be set with a hardcopy stored in a secure location. Actual administrator personnel should be given accounts that are members of the administrators group on any system they are to have admin access to, and then use that account exclusively for admin work, with no sharing of these accounts. That way you have some accountability, and hopefully the means to trace wrongdoing to the person responsible.
Geeze, we tell our users to keep their passwords secret and not let others use their accounts for reasons that are painfully obvious to us, yet we go ahead and share the account and password of the single most powerful and important account on the system! What, are we so smart that the rules don't apply to us?
|
