Search This Blog

Friday, November 17, 2017

Should I disable builtin domain Administrator account?

Builtin domain Administrator account is special account and it behaves unlike other accounts in Active Directory.

  • It cannot be deleted
  • It cannot be locked out (although you will get an event in Event Log that it was locked, but actually it is not)
  • It will be enabled if you log into Directory Services Restore Mode or Safe Mode

To summarize - I would recommend to disable the account, because you always will get a chance to unlock it in Safe Mode if such time comes.

Second best option is to have a SIEM system or other notification mechanism in place which alerts you if accounts are locked out, this will allow you to notice brute force attacks to Administrator account early.

No comments:

Post a Comment