Correct, the recovery console uses the local SAM 'Administrator' account and
if you rename the AD Admin the local SAM account is still called
'Administrator'.
Renaming the Admin account is a fallback to the Un*x days when everyone took
time out on their donut breaks to throw the dictionary at the SU command.
Everyone knows that on a W2K system the 'Administrator' account is boss, so
if they're gonna try and hack one they usually try that first. The actual
security of the acct is entirely down to how complex your password is
('password' gets you fired, '7t7f78 f78FV^*CR^**_C&G"£&(!"Tu' gets you
promoted) so Admin is no easier or harder to crack than any other, but the
'benefits' to a blackhat are greater.
The usual hardening routine is to rename Admin to something else, then
create a plain old user account called Administrator and set Deny All in GP,
so it's effectively useless. Then you can still log hack attempts but you
know they can't get anywhere if they guess the name of your Mom's dog.
Another area to watch though is service accounts. Often apps like backup,
email and SQL require local accounts with non-expiring passwords and local
system permissions - they are the ones that the true blackhats go after, as
many sysops can't tell a legit system account logon from a hack.
~A~
