administrator account security risk

[Guest]

I currently have two administrator accounts – the built-in account, and one
that I created. From what I understand from Microsoft’s tutorials, having
two admin. accounts could pose a security risk. I no longer go online with
the same account that has administrator status.

My question is this: What is the most optimal & secure account
configuration?

Also, how do I go about (for instance, creating just one administrator
account that is blocked from internet access)?

 

[Steven L Umbach]

I don't see having a problem with more than one administrator account in
your situation as I currently see it as long as you make sure your
administrator accounts have hard to guess passwords that you want to also
write down and save in a safe place. Some Trojans and other malware will
attempt to attack the administrator account with a short brute force attack
of common passwords used by users for the administrator account in order to
install themselves and otherwise gain administrator access to the computer
and configure it. A complex password will mitigate that threat and also the
threat of someone trying to access your administrative shares or Remote
Desktop if enabled.

The best practice for user accounts is the principle of least privilege. In
other words if you do not need to have administrative powers for anything
during your logon sessions then user a regular account and even then you can
use "runas" to only run specific programs/tasks using your administrator
credentials while logged on as a regular user if the need arises. I don't
know why you want to block an administrator account from internet access and
your are best off just not using it when not needed and realistically you
can not restrict an administrator account anyhow if the user that uses the
administrator account knows how to use the administrator account and desires
to do so. If you have other users on the computer that seem to need
administrator powers to run an application or such there may be workarounds
that can allow the user to do what is needed without being an administrator
depending on the operating system and network configuration. --- Steve

http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/runas.mspx
--- XP runas

 

[Guest]

I do not need two admin. accounts - that's just how it is set up right now.
I guess what I would like to know is: should I delete say (the built-in
account) or the one I created?

 

[Steven L Umbach]

That is up to you. You can not delete the built in administrator account
however. In XP Pro you can use lusrmgr.msc to disable user accounts if you
do not want them to be used without deleting them. Lusrmgr.msc is not
available command but you can use the command net user to make an account
inactive. In XP Home the built in administrator account is only enabled in
Safe Mode. If you disable the built in administrator account in XP Pro it
also will only be able to be logged onto in Safe Mode though you could then
enable it again for logon to regular mode. --- Steve

 

[Kerry Brown]

I currently have two administrator accounts - the built-in account,
and one that I created. From what I understand from Microsoft's
tutorials, having two admin. accounts could pose a security risk. I
no longer go online with the same account that has administrator
status.

My question is this: What is the most optimal & secure account
configuration?

Also, how do I go about (for instance, creating just one administrator
account that is blocked from internet access)?

It is actually a good idea to have two administrator accounts. If one gets
corrupted you will need the other one. Make sure they are protected with
strong passwords. Write the passwords on a piece of masking tape and stick
it inside the computer case.

Kerry

 

[Guest]

Thank you for your advice Steven and Kerry...

Now I have a new problem; I can't type anything while the computer is in
safe mode - so I can't set a password for the built-in account! Is it
supposed to be like that?

 

[Steven L Umbach]

What do you mean you can not type in anything in Safe Mode? The keyboard
works for nothing at all no matter what application you open?? --- Steve

 

[Kerry Brown]

Do you have a USB keyboard?

Kerry

Thank you for your advice Steven and Kerry...

Now I have a new problem; I can't type anything while the computer is
in safe mode - so I can't set a password for the built-in account!
Is it supposed to be like that?

 

[Guest]

Yes

Do you have a USB keyboard?

Kerry

 

[Kerry Brown]

It may not work in safe mode. It depends on your motherboard. Can you
substitute a regular keyboard? If not their may be a setting in the BIOS to
enable legacy USB or something to that effect.

Kerry

 

[Guest]

I just tried again and it worked this time!?!? I didn't do anthing different
that I know of.

Rod Serling:
"You're opening another explorer window -- a URL not only of html and Java
but of ActiveX. A journey between DLL and FTP, between science and
superstition. That's an error message up ahead: your next stop: "The
Microsoft Zone".

 

[Guest]

Mel Brooks (Spaceballs):

"Damn! Even in the future nothing works!"