Home / server / Questions / 180156
Accepted
Kev
Asked: 2010-09-12 02:14:16 +0800 CST

In Windows 2008 should I rename the Administrator account or disable it?

  • 772

In Windows 2008 (and R2) should I rename the Administrator account or disable it and create a new one?

Will disabling the built-in Administrator account cause any problems, is this still considered best practice?

windows windows-server-2008 security

5 Answers

  1. Microsoft Best Practices found on TechNet and MS Press' "Securing Windows Server 2008 R2"

     1. Don't rename it.

    You'll waste your effort and (for backward compatibility) if you have any apps/services on your network that require the Admin account to function, they will break.

     2. Disable the BUILTIN\Administrator.

    Renaming the account to create a honey pot for attackers is an outdated practice. Any cracker good enough to get this far into your network knows this ploy already. The cracker will just look for the SID ending in -500.

     3. Create an account with a non-descript name and give it admin rights.

    That is, name the account "JohnBlack" or "BettyClark". Do not name the account something like Superman, Root, Skywalker, or anything with Admin or ADM in it like testadm or LocalAdmin. Programs that still look for the Admin account by name have evolved enough to check for these names too.

     4. After you've created the account in step 3, NEVER USE IT!

    You can't audit Admin access, if you're using it as a regular account (aside from all the other reasons not to use it).

    • 12
  2. Best Answer

    Common practice is to just rename the account.

    • 2

  3. Renaming the account is the best bet because you are going to require some sort of local admin account, and the one that ships has already been set up and configured nicely to run the system. Renaming it basically turns it into another account for purposes of security.

    • 2

  4. I've come across both recommendations. In my last job we disabled local admin accounts on machines that were on the Active Directory domain.

    I'd personally recommend disabling it and creating a new administrative user account. That way if there are any problems with the user profile you still have an administrative account you can fall back on.

    • 0

  5. williamtorres answer seems like the correct one. Given that here is the command to disable the administrator account (so you don't have to look it up :)

    net user administrator /active:no

    http://technet.microsoft.com/en-us/library/dd744293(v=ws.10).aspx

    • 0