2.3.1.5 Configure 'Accounts: Rename administrator account'

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

The built-in local administrator account is a well-known account name that attackers will target. It is recommended to choose another name for this account, and to avoid names that denote administrative or elevated access accounts. Be sure to also change the default description for the local administrator (through the Computer Management console).

Rationale:

The Administrator account exists on all computers that run the Windows 2000 or newer operating systems. If you rename this account, it is slightly more difficult for unauthorized persons to guess this privileged user name and password combination.

The built-in Administrator account cannot be locked out, regardless of how many times an attacker might use a bad password. This capability makes the Administrator account a popular target for brute force attacks that attempt to guess passwords. The value of this countermeasure is lessened because this account has a well-known SID, and there are third-party tools that allow authentication by using the SID rather than the account name. Therefore, even if you rename the Administrator account, an attacker could launch a brute force attack by using the SID to log on.

Impact:

You will have to inform users who are authorized to use this account of the new account name. (The guidance for this setting assumes that the Administrator account was not disabled, which was recommended earlier in this chapter.)

Solution

To establish the recommended configuration, set the following Device Configuration Policy to CISADMIN or another admin account name:

To access the Device Configuration Policy from the Intune Home page:

Click Devices

Click Configuration profiles

Click Create profile

Select the platform (Windows 10 and later)

Select the profile (Endpoint protection)

Click Create

Enter a Name

Click Next

Configure the following Setting

Path: Endpoint protection/Local device security options/Accounts
Setting Name: Rename admin account
Configuration: Block

Select OK

Continue through the Wizard to complete the creation of the profile (profile assignments, applicability etc.)

Note: More than one configuration setting from each of the Configuration profiles (ex: Administrative Templates, Custom etc.) can be added to each Device Configuration Policy.

Note #2: This setting can also be created via a Custom Configuration Profile using the following OMA-URI:

Name: <Enter name>
Description: <Enter Description>
OMA-URI: ./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/Accounts_RenameAdministratorAccount
Data type: String
Value: CISADMIN <or choose admin account name>

Select OK

Continue through the Wizard to complete the creation of the profile (profile assignments, applicability etc.)

Default Value:

Administrator.

See Also

https://workbench.cisecurity.org/files/4291