Securing the administrator account
Windows NT includes a built-in administrator account that has the highest level of access privilege to all resources on the local area network. The following are points to consider when securing the administrator account:
Upon the completed installation of Windows NT the network administrator must rename the default administrator account. After it is renamed this account must only be used to grant or revoke access to network resources or to perform configuration changes on the network server.
The CIO or someone in that capacity must be informed of any changes to the default administrator account.
In the event the network administrator has resigned from the company. The administrator account and password should be immediately changed.
The password for the administrator account must be changed periodically using a maximum of eight-character length password.
The network administrator must always log off the administrator account after it is used for configuration changes or updates to the network server.
There may be times when an authorized outsource personnel may need administrative rights to network resources or to perform software updates to the network server. In this case, create a temporary user account and assign this account to the administrator group.
- Include an expiration date for this account.
Information technology department members may require administrative rights to certain files, folders or a shared resource on the network server. If this is the case, create a separate user account for each user and assign this account to the administrator group. The passwords for these accounts should be changed periodically.
If you're running NT 4.0, you should run RDISK /s periodically so as to always have an updated copy of the Security Identifier database. This command is not available in Windows 2000. Have the disk containing this information stored in a secured location accessible to only trusted members of the tnformation technology department.
Never grant dial-in permission to the administrator account via remote access. Doing so can place the entire network at risk.
Adesh Rampat has 10 years experience with network and IT administration. He is a member of the Association of Internet Professionals, the Institute for Network Professionals and the International Webmasters Association. He has also lectured extensively on a variety of topics.
Did you like this tip? If so, (or if not) why not let us know. Send an e-mail to us and sound off. Or visit our tips page to rate this tip, or submit one of your own.
Windows NT and 2000 Workstation and Server, 1/e
Author : Jim Mohr
Publisher : Prentice Hall
ISBN/CODE : 0130830682
Cover Type : Soft Cover
Pages : 500
Published : Jan 2000
Delivering quality end-user support requires you to make crucial decisions that most Windows NT/2000 books ignore. How much up-front training should you give users? When should you provide in-person support? What's the best way to support mobile employees? How can you organize users and groups most cost-effectively? In this book, James Mohr -- who currently supports over 1,000 Windows users worldwide -- brings together real-world solutions and best practices for all these challenges, and more! Discover better ways to document and standardize your Windows network and IP addressing scheme -- and practical techniques for protecting yourself against intruders and viruses. Master today's best processes for tracking support calls and measuring your responses. Learn how to select the most appropriate hardware for home and satellite offices; compare your options for managing desktops, software, and licenses; and much more.
This was first published in March 2001