Hack 71 Rename the Administrator and Guest Accounts

figs/beginner.gif figs/hack71.gif

Renaming the default administrator and guest accounts is a simple but effective step to help secure your machines.

To enhance system security on your Windows server-based network, you should rename the administrator account. You should choose a name that does not identify it as an administrator account, to make it difficult for any unauthorized user to break into the computer or network. One of the account settings in Windows 2000/2003 allows you to enter an account name to rename the administrator and guest accounts automatically using Local Security Policy (for standalone machines in a workgroup) or Group Policy (in an Active Directory environment).

To access local policy settings, click StartRun, type mmc, and press Enter. Select FileAdd/Remove Snap-in. Click the Add button, scroll through the list until you see Group Policy (in Windows 2000) or Group Policy Object Editor (in Windows Server 2003). Click add, then finish (the default is to manage Local Computer). Expand Local Computer Policy, Computer Configuration, Windows Settings, Security Settings, Local Policies, and Security Options. If you like, you can save this console with a familiar name to have this MMC snap-in available for future use. Once you've selected Security Options, you should see a screen similar to Figure 8-1 (if you're running Windows Server 2003 or Windows XP).

Figure 8-1. Policy settings for the default administrator and guest accounts in Windows Server 2003 and Windows XP

In the pane on the right, you can see that the first five options detail policies for Accounts. The last two options in the Accounts section are used to rename the administrator account and rename the guest account. Clicking on "Accounts: Rename administrator account" brings up the screen shown in Figure 8-2. You will see a similar screen if you select the Guest option. Simply type whatever name you want to use and click OK. This automatically renames the administrator or guest accounts.

Figure 8-2. Renaming the default Administrator account

Some Considerations

Note that if your machine belongs to a domain, the local policy settings you configure using the previous method might be overwritten by any Group Policy settings defined at the domain, organizational unit (OU), or site level.

Windows 2000 provides only the first two Accounts policy settings and they're named differently than the settings shown in Figure 8-2. The Windows Server 2003 setting named "Accounts: Rename administrator account" is simply named "Rename administrator account" in Windows 2000, and likewise with the Guest account policy setting. Windows XP, however, is identical to Windows Server 2003 in this regard.

Finally, as a further security precaution, after you rename the accounts, you might want to add another administrator and guest account (through the User Accounts option). Once you create these accounts, give them a secure password, but give the accounts no rights to anything. Even if the administrator and guest accounts are compromised, the potential intruder will have no rights to do anything to the computer.

?John Gormly