Action Purpose

Rename Administrator Helps thwart attempts to compromise the account password.

Hide Administrator Reduces the chance of the account being discovered.

Place in a domain-level OU. OU-level administrators do not have access to the domain-level


Provide a highly complex password Following policy, the password should be at least nine characters and be highly complex. This will make it much harder to crack the password; and because a long password takes time to crack, the chance of being alerted to the attempt before it is cracked is more likely.

Conceal the data The user ID and password should be known to a few of the most trusted people (if possible, no more than two people).1 The name and password should be locked away as hard copy; securing this account with a smart card is even better.

Create a Decoy This practice adds another layer of protection. The account should

Administrator account be given no special privileges and its password should be set to complex and audited. It must never expire. This account also acts as a honey pot for exposing possible hacking.

1This helps to keep the account out of the hands of rouge or malicious administrators.

While any effort that helps limit the attack surface is worthwhile exploring, hacking tools are now so advanced that the renamed or hidden Administrator account can easily be discovered. In fact, all Administrative accounts can be easily identified on a domain because the security identifier of the account (SID) is well known. It thus makes more sense to protect the account with certificates (technology) and usage rules (policy) than to try hiding the account.

An administrator is often tempted to use the Administrator account on a server or workstation because it is convenient. One way to discourage this is to make the password so complex that no administrator would want to use it on the domain, or require the checking out of a token or smart card from the security administration. Setting the password to a combination of 15 complex characters would discourage any casual use of the password. It is also common to split the name and password combination between two or more people, possibly even splitting the password between two or more people.

It makes more sense to secure the Administrator account with a highly complex password, and then store the data on a smart card and enforce the logon with the smart card and not the password. The card can then be locked away in a vault and made available when needed. A simple PIN, even four digits, is sufficient. The Administrator account is thus always secure by virtue of it being relegated to a chip stored on a piece of plastic that can be locked away in a vault. Smart card pins lock after three attempts to crack them, and this does not impact operations in any way. The same treatment should apply to any permanent account made a member of the Enterprise Admins group; or, as recommended in this architecture, we limit group membership to only the Administrator account.

These steps to secure the Administrator account are described in Chapter 14 in the section "Locking down Domain Admins."

Was this article helpful?

0 0

Post a comment