Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Administrator account

72 views
Skip to first unread message

Jeff

unread,
Jul 6, 2007, 12:43:15 PM7/6/07
to
Due to turnover in our IT shop we are trying to tighten up security. The
first order of business is to do something with out Administrator account.
The Administrator account was renamed a long time ago to a name within the
naming scheme of the rest of the users. Since all of the people who left our
shop know this account, what is the best way to change this? Should I rename
the account and give it a new password, or should I copy the account. My
concern is that if I rename the account I will cause problems for any server
applications that are relying on it. What is recommended in this scenario?

Also, I want to change the username and password for the local admin account
throughout the domain. Procedure for this please.


Dave

unread,
Jul 6, 2007, 1:26:07 PM7/6/07
to

"Jeff" <topn...@hotmail.com.discuss> wrote in message
news:Owc49y%23vHH...@TK2MSFTNGP03.phx.gbl...

no server app should rely on the built in Administrator account. you should
rename it, give it a new strong password, then create a new more limited
account to use for apps that need to login on the server. You should also
go through and clean out any old accounts that may not be needed, change the
passwords on any that shouldn't be used by users, etc. If any of the old
administrators left under unfriendly terms you should also check for ports
that are open that shouldn't be, apps running that you don't recognize, do a
good scan for viruses and trojans, and do a full backup asap just in case
one of them gets back in and tries to wipe out something important.


Message has been deleted

Steve Riley [MSFT]

unread,
Jul 6, 2007, 6:54:23 PM7/6/07
to
Rename it back to "Administrator" and set a long passphrase on it.

Changing account names is just security theater. Names are intended to be
public, there is no mechanism in place to prevent discovery of names. So
don't treat such elements as secrets. The secret in a set of credentials is
the password.

See my article for more information on the distinction between identity and
authentication:
http://www.microsoft.com/technet/community/columns/secmgmt/sm0206.mspx

Steve Riley
steve...@microsoft.com
http://blogs.technet.com/steriley


"Jeff" <topn...@hotmail.com.discuss> wrote in message

news:Owc49y#vHHA...@TK2MSFTNGP03.phx.gbl...

Al Dunbar

unread,
Jul 7, 2007, 12:43:49 AM7/7/07
to

"Dave" <no...@nowhere.com> wrote in message
news:ukaM2K$vHHA...@TK2MSFTNGP04.phx.gbl...

Exactly. But further, the actual administrator account should be used as
little as possible and the password should be set with a hardcopy stored in
a secure location. Actual administrator personnel should be given accounts
that are members of the administrators group on any system they are to have
admin access to, and then use that account exclusively for admin work, with
no sharing of these accounts. That way you have some accountability, and
hopefully the means to trace wrongdoing to the person responsible.

Geeze, we tell our users to keep their passwords secret and not let others
use their accounts for reasons that are painfully obvious to us, yet we go
ahead and share the account and password of the single most powerful and
important account on the system! What, are we so smart that the rules don't
apply to us?

/Al


0 new messages