Control Administrator account privileges

What can an Administrator account do and what is allowed to access?

There are hundreds or even thousands of Administrator accounts on the network today. You can control accounts to know what they are capable of doing and what are they allowed to access?

Why control the Administrator account?

If you are an administrator for Windows networks, you may be particularly interested in the enterprise Active Directory component. With all related security concepts such as domain controller, server (server), service (service), application (application) and Internet connectivity, just spend more Some time you will understand how to control the Administrator in your business in the most appropriate and accurate way.

The reason these accounts need to be controlled is like it. First, there are thousands of Administrator accounts on each network, medium or large. The possibility that they are out of control is completely real. Second, most companies allow 'standard users' to access a local Administrator account, which can lead to certain risks or accidents. Third, the original Administrator account will be forced to use a conservative way. Therefore, the privilege limit is a smart way to manage the network in the enterprise.

How many Administrator accounts do you have?

To find the answer to this question, you need to calculate a little. We will start with Windows-based desktops with a local Administrator account. They are Windows NT, 200, XP and Vista. In addition, all clients used by 'admin', developers, employees and even within the server can be considered as an application or service device. Both a public Internet café or computers for research, experimentation, and centralized work stations are also included in this area. Do not count user accounts here, because device numbers may not match the number of users.

Now you need to consider the number of servers you have (this time not counting domain controllers). With the server, you need to pay attention to its specific tasks: data storage, printing, application, service ownership, acting as an office or mail, fax, . Each device has a SAM and a local Administrator account. This account is not used frequently, but it may even require privileged control.

Finally, you need to look at domain controllers. On this domain controller (also a server type) has an important Administrator account, which is the account that controls Active Directory. In addition, it is the original domain and plays the main administrative role for businesses. If you have more than one domain, each domain will have this important Administrator account. The next Administrator account only controls the power source in the domain but also has a very strong effect.

Limit login privileges

You don't do much to limit the physical login privileges of Administrator accounts. However, they should not be used on a regular basis. Need to limit them by limiting the number of users who know the password. With an Active Directory related Administrator account, it is better not to let users know the entire password. This can be done easily with two different Administrator accounts, only enter part of the password, and use a document to guide the sections containing the password. If the account does not need to be used, both parts of the password can be preserved. Another option is to use a program that automatically creates a password, which can create a synthetic password.

Limiting local Administrator access

Whether or not you allow users to standard 'admin access' (access as admin) to their computers, you still need to limit access to the local Administrator account. There are two easy ways to change the local Administrator account name or change the password frequently. There is a group of Group Policy Object (GPO) objects for each of these types of settings. First, go to Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options as shown in Figure 1. The policy you want to configure is Accounts: Rename Administrator Account (change the Administrator account name).

Picture 1 of Control Administrator account privileges
Figure 1 : Reconfigure to change the name for the Administrator account

The second policy you need to configure is the new policy settings that will be available at the end of 2007. This policy is part of the PolicyMaker set, located in Computer Configuration | Windows Settings | Control Panel | Local Users and Groups as illustrated in Figure 2.

Picture 2 of Control Administrator account privileges
Figure 2 : Configuration to reset the password for the local Administrator account

Note : This does not prevent users from controlling the account periodically. The only way to do this is to remove them from the admin control on the computer.

Reduce network access

As mentioned above, the Administrator account should not be used daily. Therefore, there is no reason to configure this account to be accessible across the network. A good way to limit this is to not allow the Administrator account to access servers and domain controllers over the network. You can do this easily by setting up a GPO, located in Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment as shown in Figure 3. Setting you should configure is named ' Deny Access to this computer from Network '(Deny network access on this computer).

Picture 3 of Control Administrator account privileges
Figure 3 : Configuration denies network access with Administrator account on the computer.

Other configurations

If you are very meticulous in restricting Administrator account access on the company's network, you can refer to the following details:

• Do not use the Administrator account as a service account.

• Deny access to Terminal Services on a server or domain controller.

• Deny the ability to log on as a service on the server and domain controller for the Administrator account.

• Deny login as a batch job for the Administrator account.

These settings will limit the scope of the Administrator account's impact on the computer or the network. They do not prevent users with admin privileges from configuring access. In this case, you need to set up both modes of Administrator configuration, as well as when this account is used to log in and use User Rights. These configurations are complete with the use of GPOs. You can find them in Computer Configuration > Windows Settings > Security Settings > Local Policies > Audit Policy as shown in Figure 4.

Picture 4 of Control Administrator account privileges
Figure 4 : Set up a policy to verify user and account management .

Summary

Administrator is the strongest account, having the greatest impact in the world of Windows operating system. But also because of its great impact, you should limit it to use only when you really need it. As in recovery if there is an initial problem or configuration. To perform this limited operation, you need additional settings to control Administrator permissions and access. Group Policy is a mechanism that distributes privilege-restricted settings to all computers that need Administrator restrictions. As long as the settings are properly created, the Administrator account will be controlled, not only in the operation, but also if you want to track if an intruder wants to attack your network without an account. Come on.