Re: Disabling Administrator Acount
- From: "Herb Martin" <news@xxxxxxxxxxxxxx>
- Date: Wed, 25 Apr 2007 09:13:34 -0500
"jamestulloch" <james@xxxxxxxxxxxxxxxx> wrote in message
news:1177506635.406767.9780@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Hello All,
The best practise for securing AD is to disable the administrator
acount. Clearly you will need in advance to have created a sufficient
number of other administrators so that you reduce the chance of
locking yourself out completely.
That's not a best practice. In fact, don't do it.
If you use account lockout (and you should as THIS is a best
practice) then an attack can lock out EVERY account.
Even renaming the admin account is an old recommendation that
no longer is worth the trouble (hackers know the well-known SID
and can come at it that way.)
However, are there other issues that you might run into. Is the
administrator account referenced directly anywhere, on the box, in
the
regsitry or within AD that could cause issues.
I have created a user account with the same group membership as
"administrator" but still occassionally have problems that seem to
point towards permissions issues.
Any thoughts?
Don't do it.
Give the admin account a LONG, COMPLEX password and don't
use it day to day. Write down that password and lock it in a
safe place.
--
Herb Martin, MCSE, MVP
http://www.LearnQuick.Com
(phone on web site)
.
- References:
- Disabling Administrator Acount
- From: jamestulloch
- Disabling Administrator Acount
- Prev by Date: Disabling Administrator Acount
- Next by Date: Re: adding a Windows 2003 server and promote to DC in Windows 2000 AD/Domain
- Previous by thread: Disabling Administrator Acount
- Next by thread: Re: Disabling Administrator Acount
- Index(es):
Relevant Pages
|
