Windows NT default Administrator User ID exists

Risk Level: Low risk vulnerability  Low

Check or Attack Name: adminexists
Platforms: Windows NT
Description:

An account named Administrator was found. This default account cannot be locked out by too many incorrect login attempts, and can be vulnerable to a brute force attack if a poor password is chosen.

Remedy:

Rename the Administrator account, create a new Administrator account with only Guest access, remove network access for administrator, and monitor against logon attempts.

To rename the Administrator account, follow these steps:

  1. Open User Manager. From the Windows NT Start menu, select Programs, Administrative Tools (Common), User Manager.
  2. Select the Administrator account from the list.
  3. From the User menu, select Rename to display the Rename dialog box.
  4. In the Change to field, type the new name of the Administrator account and click OK.

—AND—

To create a new Administrator account:

  1. Open User Manager. From the Windows NT Start menu, select Programs, Administrative Tools (Common), User Manager.
  2. From the User menu, select New User to display the New User dialog box.
  3. In the Username field, type a new user named Administrator.
  4. In the Password field, type a new password for the Administrator account.
  5. In the Confirm Password field, confirm the new password.
  6. Click Groups to display the Group Memberships dialog box.
  7. Verify Administrator is only a member of the Guest group.
  8. Click OK twice to close both the Group Memberships and New User dialog boxes.

—AND—

To remove network access for Administrator, follow these steps:

  1. Open User Manager. From the Windows NT Start menu, select Programs, Administrative Tools (Common), User Manager.
  2. Select the Guest account from the list.
  3. From the Policies menu, select User Rights to display the User Rights Policy dialog box.
  4. From the Right list, select Access this computer from network.
  5. From the Grant to list, select the user account and click Remove.
  6. Click OK.

—AND—

To enable auditing for logon attempts, follow these steps:

  1. Open User Manager. From the Windows NT Start menu, select Programs, Administrative Tools (Common), User Manager.
  2. From the Policies menu, select Audit to display the Audit Policy dialog box.
  3. Select Audit these events. The audit choices are enabled.
  4. From the Logon and Logoff field, select the Failure check box or the Success check box.
  5. Click OK.
  6. Open the Event Viewer. From the Windows NT Start menu, select Programs, Administrative Tools (Common), Event Viewer.
  7. From the Log menu, select Security.
  8. Carefully monitor attempts to log in as Administrator.
References:
X-Force Logo
Know Your Risks