S 4.77 Protection of administrator accounts under Windows NT

Initiation responsibility: Head of IT Section, IT Security management

Implementation responsibility: Administrators

An administrator account is created each time a Windows NT system is installed. On Windows NT computers which have been installed as workstations or servers without a domain controller function, this pre-defined administrator account is a member of the group titled "Administrators". On servers installed as primary domain controllers under Windows NT, the pre-defined administrator account is made a member of the groups titled "Administrators", "Domain Admins" and "Domain Users". It is also possible to add any defined user account on a Windows NT computer to the groups titled "Administrators" and "Domain Admins".

The pre-defined administrator account and the user accounts added to the "Administrators" and "Domain Admins" groups following installation receive the rights and authorisations allocated to the group(s) of which they are members. These accounts are used by the persons in charge of managing the overall configuration of the workstation or server. Administrators possess a greater ability to control the Windows NT computer than any other user.

However, the pre-defined administrator account differs in essential respects from all other accounts under Windows NT. It cannot be deleted, and is not affected by the automatic locking mechanism which comes into effect following repeated login attempts using an incorrect password. Furthermore, it cannot be removed from the "Administrators" group on Windows NT Workstations and Windows NT Servers, unless a domain controller functionality is available. On Windows NT domain controllers, it is not possible to remove the pre-defined administrator account from both the "Administrators" and "Domain Admins" groups. However, removal from either one of these two groups is possible. This prevents an administrator from being denied access to the system on a temporary or permanent basis. On the other hand, this mechanism increases the risk of intrusion. Here, it must expressly be pointed out that all subsequently-created user accounts which have received administrative rights through admission to the "Administrators" or "Domain Admins " group can, of course, be blocked, deleted or removed from these groups by other administrators. Automatic blocking following repeated attempts at login with an incorrect password is also effective, provided that it has been defined in the account guidelines.

The pre-defined administrator account on all Windows NT computers should be renamed such that the new name cannot be easily guessed. The account should be assigned a secure password during installation (refer to S 2.11 Provisions governing the use of passwords). Wherever possible, the password should have the maximum length of 14 characters and be kept in a safe place. For daily administration, it is advisable not to use the pre-defined administrator account, but user accounts which are added to the "Administrator" or "Domain Admins" group. The passwords for these accounts should have a minimum length of 8 characters. The pre-defined administrator account should only be used if access is no longer possible via the subsequently created accounts possessing administrator rights, for example, after these accounts have been blocked due to repeated attempts to log in with an incorrect password.

It is also advisable to subsequently create a new account named "Administrator", provide it with a password, deactivate it, and only include it in the group titled "Guests". No special system rights should be assigned to this account, as it is only meant to put potential intruders on the wrong track.

Furthermore, the security log should regularly be checked for login attempts into accounts possessing administrator rights (refer to S 4.54 Logging under Windows NT).

Special destructive software exists which allows a user who has logged in locally to add any number of user accounts to the group titled "Administrators". To prevent this, the hot fix "getadmin-fix" should be installed on all computers running on Windows NT 4.0 with service pack 3. This hot fix can be obtained free-of-charge from Microsoft. When service pack 4 has been installed, it is no longer necessary to install the hot fix mentioned above.

In addition, to prevent the administrator password from being extracted, the rights to access the directories %SystemRoot%\SYSTEM32\Config and %SystemRoot%\SYSTEM32\Repair should be set as recommended in S 4.53 Restrictive allocation of access rights to files and directories under Windows NT. Start-up diskettes and any existing backup tapes should be stored under lock and key.

Depending on the degree of protection required by the data processed on Windows NT Workstations, a decision must be made as to whether the same password should be used for all local administrator accounts. A general recommendation cannot be made here. However, if the decision goes in favour of using the same password for all workstations, it must be noted that an intruder who is able to crack this password will gain administrative access to all the corresponding workstations.

The following measures should also be implemented on Windows NT Servers. The administrator accounts on the various servers should not all be assigned the same password. Furthermore, remote administration via the network should be avoided wherever possible. This is achieved by denying the "Administrators" group the right designated " Access to this computer from the network ". If remote administration is indispensable, for example, due to the given spatial environment, the resulting possibilities of intrusion should be minimised. For this purpose, login via the network for user accounts with administrative rights should only be allowed via Windows NT computers specified in the account guidelines. If possible, these computers should be installed in secure areas. It is vital that LAN-manager compatibility is deactivated on these computers, in order to prevent the passwords of user accounts with administrative rights from being transmitted through the network in unencrypted or only poorly-encrypted form. For this purpose, it is necessary to install the hot fix "lm-fix" if Windows NT 4.0 with service pack 3 is used. If service pack 4 has already been installed on the system, it is not necessary to install the hot fix. In the registry, however, it is necessary to add the key HKEY_LOCAL_MACHINE\System\CurrentControlSet\control\Lsa by the entry " LMCompatibilityLevel " of type "REG_DWORD" with the value "2".

A Windows NT computer thus modified is no longer able to access resources located on computers which do not recognise the Windows NT authentication scheme. This includes, for example, all computers running under the Windows 95 operating system.

On domain controllers, it is not sufficient to deny the "Administrators" group the right designated " Access to this computer from the network ", because on such controllers, the pre-defined administrator account is automatically made a member of the "Domain Admins" and "Domain Users" groups. For this reason, the pre-defined administrator account should be removed from the "Domain Admins" group. This can be done as long as this account remains a member of the "Administrators" group. The pre-defined administrator account should also be removed from the "Domain Users" group. However, this is not directly possible, as this group is the primary group of the account. Consequently, an arbitrary, global group must first be created which does not possess the right designated " Access to this computer from the network ". The pre-defined administrator account is to be added to this group, which should be set such that it becomes the primary group of the account. Afterwards the pre-defined administrator account can be removed from the "Domain Users " group.