That is why some admins rename the administrator account though that is only effective for some types of attacks because the built in administrator account is a well known SID that can not be changed. Properly configured firewalls will make sure that users on untrusted networks will not be able to enumerate users and groups. For high security within a network admins often can only logon via a smart card. --- Steve
Hmmm, it's really stupid to expose the admin account name to the world. At least, there should be an option to protect the name. Thank you!
Well that would be hard to do. Any user can run the command net localgroup administrators to see members of administrators group. What you must do is to make sure that the local administrators use strong passwords so that other users can not guess. You can use local Group Policy [gpedit.msc] or the Shared Computer Toolkit to try and restrict users from accessing Control Panel, the command prompt, net.exe, the registry, mmc snapins, etc. The Shared Computer Toolkit generally works better on non domain computers because local Group Policy applies to ALL local computer users including administrators unless you hack permissions to the \windows\system32\group policy\user folder which also cause the admis not to be able to manage local Group Policy. --- Steve
In "Control Panel --- Administrative Tools --- Computer Management --- Local Users and Groups" console.
Where is this happenening - on the local computer or in Active Directory?? --- Steve
Hello,
I notice that power users can browse who are administrator accounts by default. Is there a security policy option to disable this behavior? I need most of the power user's rights, but don't want this account knows anything about the higher level accounts.
Best regards,
Zhenxin Li
