Deleting the admin account? Thoughts

[pooh sun tzu]

I've seen various posts and times about people recommending the deletion of the (or changing the name of) the Administrator account to give crackers and hackers a harder time at system penetration through the login. However, I would like to discuss this much further. I can see how changing the default Administrator may buy you time while they search for the admin's new login name, but what also understand is that the deletion or change of the administrator account can have negative impacts upon the system. I see it as an "unknown" variable, in which you won't ever really know if functionality is limited behind the screens on certain programs, because they require a check for the term Administrator on the login.

recovery console (on XP based systems) will prove to be incapable of functioning because it requires the "Administrator". Without it, you can't repair disk sectors, master boot records, drive functionality, and so forth and so forth. You cripple one of the strongest recovery tools in the XP distro.

This applies to certain other version of Windows as well as some programs running on them. So, while it may buy you a few days for them to discover the newer login name, is it work the risk of breaking compatability with software, recovery methods, and general "I don't know for fact or certainty that nothing unexpected will happen on my system due to the name change of a primary OS login, so it's safer to not do it".

Thoughts?

[skiddieleet]

I generally just set a strong password or passphrase on it. I don't know about changing the name but I don't think I would ever delete the account. I'm sure changing the name has the same effect though. On the other hand, I've experienced on windows that if you try and change a username, it makes almost an alias and keeps the other user stuff. So you can still login with both. That was for my account, but I don't know if it also holds true for the admin account. If that's the case, changing the name gets you nothing. So I guess if it's up to me just throw a strong passphrase on the admin account and pray. Really they should never get to where they have the opporitunity to input a username and password.

[MrLinus]

AFAIK, you can't delete the administrator account anyways and even with a rename (simply security through obscurity), it can be found. Tools like SID2USER and USER2SID (I think that's what they are called) can help with this.

That said, I don't think it can be done since there are so many tasks that require admin specifically (GID 500 that is). It'd be like deleting root on a *nix box. I can't imagine that one would be able to do it since even booting requires root.

[pooh sun tzu]

MsMittens: Ah, just noticed that. Looked into it a bit more and it turns out they can only be renamed, but not deleted. This does change things since it may in fact keep the term Administrator
but not the login, as h3r3tic pointed out. So.. now brings the question:


Are there any side effects to renaming the administrator account to something else? Does recovery still work? Any program incompatabilities? I'd love to test, but I've got far too much number crunching on this computer right now.

Really they should never get to where they have the opporitunity to input a username and password.

No, I agree. But we aren't talking about local or remote security overall, just this theory

[MrLinus]

AFAIK, there are no side effects since I would think most programs look for the SID/GID information if they need something to run. I know (as I've seen this) if the SID/GID gets corrupted for whatever reason, you are screwed (read: rebuild yer box). That would lead me to believe that a rename is no different than just changing root to toor.

At least with the programs I've used I never had problems. Doesn't mean that someone didn't write a program that looks specifically for the name Administrator.

[phishphreek]

Originally posted here by pooh sun tzu

System restore from the console (on XP based systems) will prove to be incapable of functioning because it requires the "Administrator". Without it, you can't repair disk sectors, master boot records, drive functionality, and so forth and so forth. You cripple one of the strongest recovery tools in the XP distro.
Thoughts?

I ran into this a while ago and while trying different things put in a 2k disc.
(This was way before the "vulnerability" for this was released... I posted on it...)

You can use the 2K recovery console...
It bypasses the registry and authentication and gives you full access to the filesystem.

I regularly rename or disable the admin account. If I need that account... I can reinstall or reimage the machine. There is no need for the local admin account when your domain admin account will do the same thing... (well.. unless you're on a different IP scheme...) but there are still solutions for that. Put in a router and "fake" your WAN to the authentication servers...

I don't rename or disable it on home machines though... just on work machines.

If a home box gets compromised... big deal (IMO). Thats a lot easier to deal with.

And MSM is right... it doesn't even matter if you do rename the admin account... it can be found out pretty easily.

[foxyloxley]

I'd like to know if you DO change the Admin account name, would you be able to change it BACK to 'administrator' as and when required ?

I've read about changing names etc, but I've never really grasped whether you were supposed to change and leave it, or change it back ...............

[Timmy77]

As you can change the admin account through setting security policy (or domain-based group policy), it's straightforward to rename the account without any ill-effects, and change the name later.

The only problems i've seen are related to older applications that rely on the currently logged in user being "Administrator" before they'll install...but that's rare.

[ss2chef]

I think it's a good idea to rename the administrator account. The SID does not change so
recovery console and tools still work. You are prompted for the administrator password only
and the renamed account password will still work.

I change the account not to create road-blocks for human crackers as much as for
the many worms running around that attempt to brute-force accounts named administrator.

I have never seen any loss of functionality due to renaming the original administrator account.

The word administrator is simply an easy to remember name like a dns name masking the actual
account identification information.

Are you sure that system restore is not meaning administrator in the logical sense as
the recovery console does? I disable restore and have not used it.

Although I'm sure it's been done, any software needing the account "administrator" to function
would be poorly written and not worth using IMO.

The notion of buying time can have limited value.

I believe that risk management does allow for "unknown" variables as I don't think it possible
to be certain that all is known. The line must be drawn somewhere and I suppose where each of us draws that line would be debated to no end..??

[pooh sun tzu]

Are you sure that system restore is not meaning administrator in the logical sense as
the recovery console does?

My mistake I meant recovery console not system recovery. Changed it in the parent post. Thanks!