December 23, 1999 10:28 AM

Protect Administrator Privileges

Rating: (0)
Randy Franklin Smith
Windows IT Pro
InstantDoc ID #7878
Understanding security weaknesses to prevent intrusion
Gaining administrator access is the ultimate coup for a system intruder, so protecting administrative privileges needs to be high on your security priorities list. However, safeguarding your administrator accounts is more complicated than merely assigning a good password. Windows NT idiosyncrasies and bugs and insecure default configuration settings constitute a list of security holes that an intruder can exploit t...

ARTICLE TOOLS

Want to use this article? Click here for options!

You must be a paid Professional Member to access this entire article.

Already a Professional Member? Please log in now:

NOT A PROFESSIONAL MEMBER? YOU CHOOSE:

Monthly or Annual

Professional Membership

VIP Membership

Compare Member Benefits

Add a Comment

Your information regarding the passprop utility is incorrect.

It DOES NOT set the account lockout policy for the administrator so "The Administrator account will be subject to the same lockout policy as all other accounts are."

It DOES allow the administrator account to be locked out of accessing the system from the network.

When performing an interactive login on a local system with the local administrator account, the administrator account WILL BE ABLE TO LOGIN REGARDLESS OF THE LOCKED STATE OF THE ID.

Passprop.exe DOES NOT keep a locked administrator account out of a system entirely.

According to the documention, the exception is the interactive login to the domain controller with the domain administrator account.

According to real world testing with SP6a and NT 4.0 workstation, the REAL exception as follows:

Interactive login to the local system with the local system administrator account.

James Nelson 3/7/2001 12:38:47 PM

Provided you're following the recommendation I made in the article not to use the Administrator account for day-to-day administration, I suggest that you secure the account with a strong password and keep the password locked away. Setting up password expiration isn't necessary unless you're worried that someone will guess the password over time. Monitoring logon activity for the account can mitigate that risk.



--­Randy Franklin Smith

Randy Franklin Smith 8/2/2000 3:06:22 PM

I read R. Franklin Smith's "Protect Administrator Privileges" (February 2000), and I want to know whether the author recommends using passwords that expire on the built-in Administrator account. If so, does this configuration present any challenges?

Ingrid Beierly 8/2/2000 3:05:56 PM

I’ve been a Windows NT administrator for 2 years and a few months, and I’m still learning about NT. Recently, our corporate headquarters contracted some security specialists to investigate our security setup. I can’t believe how much they uncovered in 60 minutes!
I read R. Franklin Smith’s “Protect Administrator Privileges” (February 2000), which provided valuable in sight into NT security. I’ve immediately be gun enforcing some of the author’s suggestions. Have you published any other security articles that I might find interesting and useful?

Wayne Sutton 6/7/2000 11:29:42 AM

Security is one of the core topics that the magazine covers every month. The easiest way to find other articles is to browse the magazine’s article archive at http://www.win2000mag.com; you can search by topic, issue, author, or keywords. Another good online resource for in-depth security information is the NTSecurity.net Web site at http://www .ntsecurity.net.

Randy Franklin Smith 6/7/2000 11:29:42 AM

This may not be major, but it's worth noting that User Manager will not permit enough characters in the description field of the decoy administrator account to completely mimic the description. One or two characters have to be omitted, and can be detected. Isn't that odd ?

Bruce Bramkamp 5/25/2000 7:05:22 AM

Very good, thought provoking article. I wish you went into more depth regarding Exchange security issues.

Jon Brown 5/24/2000 9:37:12 PM

You must log on before posting a comment.

Are you a new visitor? Register Here
Free Power Tools Brochure
Get Mark Minasi's 17-page guide today!



      

advertisement

GOOGLE LINKS
SPONSORED LINKS
FEATURED LINKS

White Papers

Your remote offices contain valuable electronic data – are they adequately protected? Learn how proven technologies can reliably and cost-effectively back up a branch office from a central location, in real time, to disk or tape, and even utilize existing backup solutions.

Downloads

PacketTrap IT is a comprehensive and affordable network management and application monitoring solution that solves problems associated with bandwidth, network and application performance, and connectivity. Gain insight into your network - try PacketTrapIT free for 21 days!

Web Seminars

IT administrators have to solve a myriad of problems. This web seminar outlines the ten most common systems management pains - including managing highly distributed systems and dealing with data theft/loss – and the best practices to address each.

eLearning Series

We bring the experts direct to you to share their real-world perspective and expertise. During each event, three sessions stream in real time, so you can learn, ask questions, and get solutions.
Upcoming event: Getting the Most with Exchange 2010 with Paul Robichaux

Subscribe to Windows IT Pro!

DevProConnections ITTV Left-Brain SharePointPro Connections SQL Server Magazine SuperSite for Windows Windows IT Pro

© Penton Media, Inc.

Home About Us Advertise Customer Service Privacy Statement Subscribe/Renew Terms Of Use

Windows is a trademark of the Microsoft group of companies. Windows IT Pro is used by Penton Media Inc. under license from owner.