2.4.1 Remove default admin user and create one with other name

Information

Before deploying any new FortiGate, it is important to change the password of the default admin account.

It is also recommended that you change even the user name of the default admin account, However, since you cannot change the user name of an account that is currently in use, a second administrator account must be created in order to do this.

Default credentials are well documented by most vendors, including Fortinet. Therefore, it will be one of the first things that will be tried to illegally gain access to the system.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

First create an other local admin account, for example mycompanyadmin.

#if VDOM enabled
config global
#configure new admin
config system admin
edit \\"mycompanyadmin\\"
set password
set accprofile \\"super_admin\\"
next
end

Verify if the newly created login works by opening another CLI session, do not logout of your current session.

Once validated, logout with the default local admin account and use the CLI session with mycompanyadmin to delete the default local admin account.

Please make sure there are no references in the configuration to the account (groups, etc.)

#if VDOM enabled
config global
config system admin
delete \\"admin\\"
end

To change the default password in the GUI:

Global (if VDOM enabled) > System > Administrators

Create New admin account (mycompanyadmin)Verify if you can login with that account via another browser session (eg. incognito mode).

Remove default admin

System > Administrators menu

Impact:

If not changed, then any scripts that use default credentials will be able to access the system.

See Also

https://workbench.cisecurity.org/benchmarks/24708

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-5, CSCv7|4.2

Plugin: FortiGate

Control ID: b993d269fdd168ca01e70dc9d839f0c9891c3320cc1e0b224b214fdef3b7d15e