Windows Administrator Accounts Guideline
This document contains the following sections:
This document describes the guidelines that Computing Services has developed to ensure secure use of Windows operating system accounts with administrator or privileged access rights.
Windows Operating System accounts on any computer, device or application that has administrator or privileged access rights.
Purpose of the Guideline
The Carnegie Mellon Computing Policy
establishes a general policy for the use of computing, telephone and information resources. The purpose of this guideline is to establish acceptable practices that support the policy
as it applies to Windows Administrator Accounts.
Furthermore, the purpose of this guideline is to introduce effective practices aimed at reducing the opportunity for intruders to gain access to privileged accounts, reducing the occurrence of stealth installations of unwanted and/or malicious software, improving the security and manageability of privileged accounts when shared within workgroups, and to limit the use of privileged accounts according to the principle of least privilege.
All Microsoft Windows systems have a local Administrator account, usually called "Administrator". This account has elevated privileges (super user) access, and thus, is commonly used by malicious attackers to attempt to compromise systems. If you visit an Internet site or open email attachments, you can damage your computer because malicious code could be deployed that will download and execute on your computer. If you log on as administrator or equivalent on your local computer, malicious code can, among other things, reformat your hard disk drive, delete your files, and create a new user account with administrative privileges for malicious use.
For most purposes (e.g., day to day user activity) the administrator account is not required to perform the task at hand.
Principle of Least Privilege – States that all users should log on with a user account that has the absolute minimum permissions necessary to complete the current task.
Steps to take:
- Immediately change the “Administrator” account password that comes by default with any Windows system. The password should meet approved Password Guidelines.
- When creating new accounts with administrator privilege avoid account names that identify the level of assigned privilege, like “_admin”, “super_user”, ‘sysadmin”, etc.
- Apply the principle of least privilege to all accounts. Therefore, for normal, day-to-day computing usage that does not require administrator privilege, log in to accounts with “limited” privilege only.
- Limit who has access to accounts with administrator privilege. If access is warranted, limit the scope of access to only authorized computers.
- Audit all administrator logon/logoff events, failed logon attempts and review event logs for unexpected password changes on administrator accounts. Promptly investigate unexpected or unusual findings.
- Do not include account names and passwords in script files (or any unencrypted file). For instance, on Windows Systems, use the “RunAs” command to launch system scripts.
- Consider changing administrator passwords remotely from a known secured machine to avoid the potential for “keyloggers” on a compromised computer.
- Consider disabling SAM enumeration. SAM enumeration is the ability to list all account names and SIDs on a given machine. To disable SAM enumeration, edit the local GPO for an individual machine OR edit one of the domain GPO’s for networked machines.
User Responsibilities and Procedures
End-users should discuss the implementation of administrator privilege with their departmental administrator. Users should follow all policies and procedures indicated in this document and/or prescribed by their departmental administrator. If end-users don’t have a departmental administrator, contact the Help Center at 412-268-HELP (4357) or email firstname.lastname@example.org
Guideline Modified: April 11, 2006
Guideline Established: April 11, 2006