Guest refurbmike Posted September 26, 2007 Posted September 26, 2007 We're trying to limit our liability and security holes by restricting the computers to only one account. At default, Windows requires one account in addition to the default Administrator account. We'd like to have one or the other - since we're plugging these computers into a domain, multiple local accounts on a computer are wasted loopholes. Is there a way to disable one or the other? Preferably the user accounts.
Guest Ken Blake, MVP Posted September 26, 2007 Posted September 26, 2007 Re: Disable default accounts or don't require user accounts... On Wed, 26 Sep 2007 10:34:04 -0700, refurbmike <refurbmike@discussions.microsoft.com> wrote: > We're trying to limit our liability and security holes by restricting the > computers to only one account. At default, Windows requires one account in > addition to the default Administrator account. We'd like to have one or the > other - since we're plugging these computers into a domain, multiple local > accounts on a computer are wasted loopholes. > > Is there a way to disable one or the other? Preferably the user accounts. Two points: 1. You shouldn't ever want to disable the built-in administrator account, even if you could. That's your only way into the system if your user account gets corrupted. 2. You should always have at least one user account and use that on a regular basis. Using the administrator account instead subjects you to the risk of its getting corrupted, and having no other way into the system. -- Ken Blake, Microsoft MVP Windows - Shell/User Please Reply to the Newsgroup
Guest refurbmike Posted September 26, 2007 Posted September 26, 2007 Re: Disable default accounts or don't require user accounts... Hey Ken, Thanks for the reply and good points. However, we're using a domain for the user to login. The only time anybody logs in locally (using an administrator account) is to attach the computer to the domain. So, as you can see, having more than one administrator account is really useless and an unnecessary security risk.
Guest Patrick Keenan Posted September 26, 2007 Posted September 26, 2007 Re: Disable default accounts or don't require user accounts... "refurbmike" <refurbmike@discussions.microsoft.com> wrote in message news:B2CEA5EE-5F24-414D-962B-86158540907B@microsoft.com... > We're trying to limit our liability and security holes by restricting the > computers to only one account. At default, Windows requires one account in > addition to the default Administrator account. Many non-Home versions do not actually require this, but it is very, very bad practice to either disable the Administrator account or to use it as the primary - or only - account. The Admin account should only be used for required maintenance, in order to protect it - and you. When your one account corrupts, you then have virtually no option but to remove the drive and scrape the data off it, then put it back, wipe it during a clean install and then restore the data. Ever timed that? Instead, you could have just popped by their station, logged into the Admin account, created a new user account, migrated the data, and had the user back and working in under an hour. > We'd like to have one or the > other - since we're plugging these computers into a domain, multiple local > accounts on a computer are wasted loopholes. I'm not sure that's really correct. You'll perhaps note that Linux and Unix machines also use multiple accounts, and while the built-in Root accounts certainly exist, they aren't regarded as "wasted loopholes". > Is there a way to disable one or the other? Preferably the user accounts. As noted here and elsewhere, this is a very bad idea. You're asking for real problems and time-consuming solutions later, Here's the thing: when these problems arise, and they will, it's *you* that will look bad because the user is forced to do nothing for a day instead of an hour. If that user is high-ranking, they will be concerned about this. Instead, establish a quality password routine for the Admin accounts. Use strong passwords, don't give them out, and change them regularly. Visit the account occasionally and check for last login time. HTH -pk
Guest Patrick Keenan Posted September 26, 2007 Posted September 26, 2007 Re: Disable default accounts or don't require user accounts... "refurbmike" <refurbmike@discussions.microsoft.com> wrote in message news:C470BDD6-BB7D-45E0-A822-72935CB79C96@microsoft.com... > Hey Ken, > > Thanks for the reply and good points. > > However, we're using a domain for the user to login. The only time anybody > logs in locally (using an administrator account) is to attach the computer > to > the domain. Or to fix the machine when things go wrong, as they *will*. There can be other valid non-system-critical reasons to get into this account, for example needing to add or configure hardware like a serial-to-USB adapter on a laptop. Consider the case of a lawyer's laptop in a context where he needs to attach to the serial feed from a court reporter's system - most laptops don't have serial ports. And it's a discovery proceeding being delayed, so its cost is the the time of several lawyers. His account is not Admin and he can't even find out what commport the adapter is assigned without entering the Admin account, let alone install the device. His IT group has to be phoned to get the Admin password - the lawyer does not have this information. > So, as you can see, having more than one administrator account is > really useless and an unnecessary security risk. One might point out that your original post specified only multiple local accounts, not multiple local *administrator* accounts. Often the user account on a domain system is not an admin level account, but the Admin account is indeed there and active, with the user not being given the password. HTH -pk
Guest Malke Posted September 26, 2007 Posted September 26, 2007 Re: Disable default accounts or don't require user accounts... refurbmike wrote: > Hey Ken, > > Thanks for the reply and good points. > > However, we're using a domain for the user to login. The only time anybody > logs in locally (using an administrator account) is to attach the computer to > the domain. So, as you can see, having more than one administrator account is > really useless and an unnecessary security risk. It's still foolish to have only one local account. On our clients' workstations we always make a "tech" account along with the built-in Administrator account. If you give the extra account ("tech" in our case) a good, strong password, the computer isn't any more or less secure than if you only have the built-in Administrator account. You should be looking to other areas to keep your network - server and workstations - secure. This is a great place to start your research: http://www.microsoft.com/technet/security/default.mspx?wt.svl=leftnav Malke -- Elephant Boy Computers http://www.elephantboycomputers.com "Don't Panic!" MS-MVP Windows - Shell/User
Guest refurbmike Posted September 26, 2007 Posted September 26, 2007 Re: Disable default accounts or don't require user accounts... Patrick, Thanks for the input. > When your one account corrupts, you then have virtually no option but to > remove the drive and scrape the data off it, then put it back, wipe it > during a clean install and then restore the data. Ever timed that? The few times we're working w/ the local Administrator accounts is only to put the machine into a domain and get going. If that fails, then likely something bigger is amidst and we can simply re-image the computer; probably takes a whole lot less time than trying to troubleshoot a corrupted computer. > Instead, establish a quality password routine for the Admin accounts. Use > strong passwords, don't give them out, and change them regularly. Visit > the account occasionally and check for last login time. We have 300 machines in our office. With our current scripting software, we can change the password of the "Administrator" account, but no other local account. So if we want to have a 2nd account, we'd have to visit each computer twice a year to change the password. Not the best practice for us.
Guest refurbmike Posted September 26, 2007 Posted September 26, 2007 Re: Disable default accounts or don't require user accounts... > There can be other valid non-system-critical reasons to get into this > account, for example needing to add or configure hardware like a > serial-to-USB adapter on a laptop. Consider the case of a lawyer's laptop > in a context where he needs to attach to the serial feed from a court > reporter's system - most laptops don't have serial ports. And it's a > discovery proceeding being delayed, so its cost is the the time of several > lawyers. In the rare case that a situation like this arises, we have domain admit accounts that are cached on the box (from having to set-up equipment/software/etc.). If we really need to go this route, we can have the user log in w/ this account - we can always change the domain passwords later. However, this is a scenario we don't really run into.
Guest refurbmike Posted September 26, 2007 Posted September 26, 2007 Re: Disable default accounts or don't require user accounts... > It's still foolish to have only one local account. On our clients' > workstations we always make a "tech" account along with the built-in > Administrator account. If you give the extra account ("tech" in our > case) a good, strong password, the computer isn't any more or less > secure than if you only have the built-in Administrator account. You > should be looking to other areas to keep your network - server and > workstations - secure. I am trying to appreciate the feedback, but it's starting to get rather bitter. I don't appreciate having my ideas called foolish.... As far as security risks, we're trying to protect against possible exploits w/ future employees that leave. We could have the most complex password in the world; if we cannot change it w/in reason (not having to visit 300 computers over a span of a few hundred miles), then we'd rather not use it.
Guest Patrick Keenan Posted September 27, 2007 Posted September 27, 2007 Re: Disable default accounts or don't require user accounts... "refurbmike" <refurbmike@discussions.microsoft.com> wrote in message news:A845BDAD-10FC-4975-9F1D-3E017171D962@microsoft.com... > Patrick, > > Thanks for the input. > >> When your one account corrupts, you then have virtually no option but to >> remove the drive and scrape the data off it, then put it back, wipe it >> during a clean install and then restore the data. Ever timed that? > > The few times we're working w/ the local Administrator accounts is only to > put the machine into a domain and get going. If that fails, then likely > something bigger is amidst and we can simply re-image the computer; > probably > takes a whole lot less time than trying to troubleshoot a corrupted > computer. If you have planned for that contingency, then the need for a 2nd *local* account is significantly reduced, and you are covered. However, it doesn't change the need for one local (Administrator) and one domain (User) account, at minimum. Your posts are a little unclear regarding this specific detail. >> Instead, establish a quality password routine for the Admin accounts. >> Use >> strong passwords, don't give them out, and change them regularly. Visit >> the account occasionally and check for last login time. > > We have 300 machines in our office. With our current scripting software, > we > can change the password of the "Administrator" account, but no other local > account. So if we want to have a 2nd account, This is a somewhat unclear statement and this lack of clarity is probably leading to some of the friction you're experiencing elsewhere. Do you mean a second account, period, or a second *administrator* account? This is a very important detail! No, there isn't a great need to have more than one local *administrator* account, particularly if you are ready to re-image on moderate failure. Yes, there *is* a need to have more than one account on the system, one system administrator account and one user. A common arrangement is that Administrator is local, while User is domain but does not have admin rights. HTH -pk > we'd have to visit each > computer twice a year to change the password. Not the best practice for > us.
Guest refurbmike Posted September 27, 2007 Posted September 27, 2007 Re: Disable default accounts or don't require user accounts... Patrick, Fair enough response. Lemme see if I can clarify. I'd like the computer to only have/need one administrator account locally, not including any domain accounts that may be piled on after. As of current, the computer has two: the default Administrator account and the required account (named "User", for now) that WindowsXP required me to make when I installed the OS. As of current, both of these must be administrators by default - I cannot downgrade either of these accounts, so I am stuck with an unnecessary administrator account on the computer.
Recommended Posts