Protecting the Administrator Account
There are not too many user accounts created on a default Windows Server 2003 domain controller which is installed for Active Directory. However, the one user account that you need to protect above all other accounts is the Administrator account. This account is one of the default accounts that provides the highest privileges to Active Directory, domain controllers, member servers, clients, and the network services.
The Administrator account in Active Directory is only one of many Administrator accounts on the network. Every member server and client has a local Administrator account, which is designed to have ultimate control over the computer where it resides. Most of the information that is discussed within this article can also be used to protect the local Administrator account. The best way to provide this control is to use Group Policy from Active Directory.
We will focus on protecting the Active Directory Administrator account, since this account has the widest scope of influence. Keep in mind how many Administrator accounts you might have at the Active Directory level. Each domain will have an Administrator account, which is responsible for controlling all objects within that domain. The Administrator account that resides in the first Active Directory domain has special privileges. This Administrator account is also given Enterprise Admins and Schema Admins membership. This provides the means to control every object within the entire forest, as well as power over the forest schema.
What is so important about this account?
The Administrator account at the Active Directory level has power over all computers, including domain controllers, within the domain. This means that this user account can logon to any computer, access any file, and install any application by default. Even if the local Administrator removes access for the domain Administrator account, the domain Administrator can take the privilege back.
There are also other important privileges that the domain Administrator account possesses, which provide great power. The Administrator can add computers to the domain, modify any user account (including passwords), and create Group Policy objects (GPOs) without hesitation. These privileges can't be removed for this user account, since they are hard wired into it's existence.
In the past operating systems, another key factor for this account is that it can't be removed or disabled. This posed a particular problem for many administrators and Windows networks to try and protect the account. Since Windows Server 2003, Microsoft has provided the ability to disable the Administrator account. We will discuss this feature later when we talk about the steps you can take to protect the account.
Why target this account
Hackers and attackers target this account for many reasons. Beyond the reasons just explained above, attackers know a lot about this account in most environments.
First, the Administrator account on every Windows computer in existence has a similar Security Identifier (SID). The SID is the alpha-numeric character set that is used by the operating system to track the account and grant access to resources. Whether we are talking about the Administrator account in the first Active Directory domain or the account on a Windows 2000 Professional computer, the SID always ends in 500, as shown in Figure 1.
Figure 1: The Administrator account on a Windows computer always ends with 500
What this provides is an easy target for attackers. Since the SID always ends with 500, they can target the account simply by enumerating the SIDs from Active Directory or the local SAM. This might sound difficult, but tools such as SID2USER and USER2SID have already taken much of the difficulties out of this task for you.
Second, historically this account had to exist. Windows NT and Windows 2000 Active Directory domains could not disable or delete this account. It has only been since Windows Server 2003 that this account could be disabled. This provided the attacker with a known "administrator" privileged account that they could target.
Finally, the Administrator account is an easy target for most installations of Active Directory and Windows. You would be surprised (or maybe you won't be) how many enterprises don't protect this account. Before Windows Server 2003, the Administrator account was installed with a blank password. We all know that passwords are a pain to manage and remember, so many companies would leave this account unprotected by not changing the name, nor configuring an appropriate password (or a password at all).
With so many reasons to protect this account, here are some basic steps that you can take to protect the Administrator account.
- Change the name - If you keep the name the same as the default, this provides half of the information that an attacker needs to log on as the account. Many companies will change the name to fit within the naming scheme of the other users. So, Joe Smith might be the Administrator account to obfuscate the account to novice hackers and end users.
- Reset the description - Since the description of the Administrator account states that it is the default Administrator account, changing this (or removing it) will help protect it.
- Create a "false" Administrator account - There are many attackers that are just looking for the name Administrator. So, if you create an account that has no privileges and is even disabled, the attacker will not have a chance to gain access to your network under this account.
- Configure a complex password for the account - I am not using complex here in the same sense that the operating system uses it. Here, I am suggesting that you create a lengthy passphrase for this account. I would suggest something like this:
I live in Arizona where the average temperature during the summer is 105.
- Don't use this account - I find that many companies use this account for routine maintenance, tasks, and administration. I also find that this account is configured as the service account for many network services. This account should never be used, unless there is a disaster that requires that this account be used to access a domain controller.
In addition to the basic steps that can be performed to protect this account, here are some advanced tricks that you can employ to take the access and security of the Administrator account to a new level.
- Disable the Administrator account - This is a Group Policy setting which allows you to disable this account within the domain and on local SAMs of Windows XP and Windows Server 2003 computers. The policy is under the following GPO setting:
Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|Accounts: Administrator account status
This policy setting can be seen in Figure 2, and just needs to be set to Enabled to enforce the setting.
Figure 2: GPO setting that allows you to disable the Administrator account
- Rename Administrator account using GPOs - It will be hard to disable every Administrator account on every computer due to applications and other requirements. In these cases you can take an easy approach for ensuring the Administrator account is renamed. You can configure the following GPO setting, which can rename the Administrator account on any Windows 2000, XP, or Server 2003 computer.
Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|Accounts: Rename Administrator account
- Deny "Access this computer from the network" User Right - By default the Administrator account is grouped into the Everyone and Authenticated Users groups, which gives the account the ability to access all computers over the network by default. Since the Administrator account is not being used for routine administration, there is really no need for the account to be accessing any resource, on any server, over the network. If you configure the following Group Policy User Right setting for the Administrator account, it can go a long way to reduce the attack surface that attackers have on the Administrator account.
Computer Configuration|Windows Settings|Security Settings|Local Policies|User Rights Assignment|Deny access to this computer from the network
The Administrator account is all powerful in a Windows world. Whether you are talking about the Administrator account within Active Directory or the lowly Administrator account in the local SAM of a Windows 2000 Professional computer, the account has the highest privilege of all user accounts by default. You need to take the appropriate steps to protect this account to ensure that it is not exposed and to reduce the possibility of it being compromised. There are some basic (yet many times ignored) steps that you can take to help protect this account. In addition to the basic steps, you can configure more advanced configurations which will reduce the possibility of this account being compromised even more.