Re: Block remote access for the default domain administrator

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

From: Joe <joe@xxxxxxxxxxxxxx>
Date: Fri, 13 Jan 2006 19:30:36 +0000

ST wrote:

I have been requested to set up an alternate administrator account for remote administration and then block remote access for the default domain administrator account named "Administrator".

The strong password set on the Administrator account should be sufficient but he feels remote administration would be more secure using an account with a different name and strong password as well.

I created a new account, gave it a strong password and added it to the domain administrators group. I left the default Administrator account alone except that I removed it from the Remote Web Workplace users group.

Everything is working except that the default Administrator account still has remote access via RWW.
Is  it possible to do this?

I don't think so. Microsoft believes that the Administrator must never
be locked out. I disagree, but oddly, Microsoft's view prevails. Neither
the loss of remote admin facilities nor having the server cracked is
particularly desirable, but I know which I'd prefer.

The best you can do is to make the built-in Administrator's password
unbelievably strong and lock it in the company safe. Use the additional
admin account. There are a few times when you will need to use the
built-in Admin, such as applying SP1, but not many.

I prefer not to use Terminal Server for admin directly, but via VPN.
That way I can connect using an unprivileged account then use TSWeb
with my admin account, which does not have connection privileges.
This means a break-in does not give immediate admin privileges. Either
an elevation-of-privilege exploit must be known or a second password
cracked while already connected. Either way, more tracks are left,
more time is taken, and it is unlikely that an automated attack process
would succeed. It does, of course, depend on the built-in Administrator
password holding up.
.

References:
- Block remote access for the default domain administrator
  - From: ST

Prev by Date: Re: Companyweb works from only 1 external site
Next by Date: Re: http://servername/extensions
Previous by thread: Block remote access for the default domain administrator
Next by thread: No icon in my desktop, no user interface
Index(es):
- Date
- Thread

Relevant Pages

Re: Keep admins off of client machines
... the sharepoint admin is simple, just create a standard user account for them ... The 'Domain Administrator' account is ... Domain Administrator password. ... takes a thorough understanding of such priveleges to do so. ...
(microsoft.public.windows.server.sbs)
Re: firewall on budget ?
... 1)Work in Admin mode, and through 'run as', browse ... If working in admin mode and doing runas to browse in a guest account. ... Installing a program, getting an error, then doing the run as, can be ... running as administrator all the time. ...
(microsoft.public.windowsxp.security_admin)
Re: Remote web workplace
... Its not a question of trusting the admin we just dont wont administrators ... connecting to our network remotely. ... domain admin has a stronger password and is able to connect over remote web ... reference to the administrator was the administrator template under the ...
(microsoft.public.backoffice.smallbiz)
Re: XP (SP2) user passwords
... Safe Mode requires an administrator to log on the machine. ... I always suggest checking who has Admin accounts, ... administrator account, which normally does not appear, and in SP2, I don't ...
(microsoft.public.windows.mediacenter)
Re: Could this be an XP problem?
... >> This means you have admin access under jlunis login. ... This is one way to get in as admin in XP home. ... >> tab) then type in administrator as username and blank password. ... administrator account. ...
(microsoft.public.windowsxp.general)