Rename or Not to rename the Local Admin username......

[Guest]

I am building a series of WinXP/SP2 computers that will operate outside our
campany's domain. We desire to maintain an account with admin level rights
for management purposes.

My options are (that I know of)
- Keep the admin account as is; with a strong password
- disable Admin account; create a second account with admin rights or power
user rights
- or both.

I know that if someone who wants to get in, they're is going to; a SID to
username translation can be done, so renaming the account is not bullet
proof; and of course the group membership portions of the SID or registry
will easily point the person(s) to the second account with admin rights.

No one wants to have there computers compromised; however if these specific
computer are; the attackers will have little to no affect on other computers
in our environment; nor will they have access to any critical data. Local
users will operate at guest level; and will not have access to any passwords
used for the admin level accounts.

With that said; what are your thoughts. Is it worth-while renaming the
account; using a second admin account; or simply making the admin password as
hard as possible. The goal here is to make the admin level account as
protected as possible; with the least amount overhead and costs in management
of the account(s) over time.

Look forward to hearing everyone's thoughts.

Thanks
Matt

 

[Steve Riley [MSFT]]

We have stopped recommending renaming the account for some time now.
Security by obscurity is never a good idea. If someone wants to find your
admin accounts, they will, no matter what you name them.

 

[Shenan Stanley]

I am building a series of WinXP/SP2 computers that will operate
outside our campany's domain. We desire to maintain an account
with admin level rights for management purposes.

My options are (that I know of)
- Keep the admin account as is; with a strong password
- disable Admin account; create a second account with admin rights
or power user rights
- or both.

I know that if someone who wants to get in, they're is going to; a
SID to username translation can be done, so renaming the account is
not bullet proof; and of course the group membership portions of
the SID or registry will easily point the person(s) to the second
account with admin rights.

No one wants to have there computers compromised; however if these
specific computer are; the attackers will have little to no affect
on other computers in our environment; nor will they have access to
any critical data. Local users will operate at guest level; and
will not have access to any passwords used for the admin level
accounts.

With that said; what are your thoughts. Is it worth-while renaming
the account; using a second admin account; or simply making the
admin password as hard as possible. The goal here is to make the
admin level account as protected as possible; with the least amount
overhead and costs in management of the account(s) over time.

Look forward to hearing everyone's thoughts.

Renaming the administrator account is 'security by obscurity' and has little
if any effect, IMHO.

Disabling the local administrator is doable - and would prevent meddling
with the local machine without a domain account that has administrative
access... which if it gets hacked - you have pretty serious issues.

The best security is a strong password. Changed periodically.