Welcome to Vista Banter. You are currently viewing our boards as a guest which gives you limited access to view most discussions, articles and access our other FREE features. By joining our free community you will have access to ask questions and reply to others posts, upload your own photos and access many other special features. Registration is fast, simple and absolutely free so please, join our community today! If you have any problems with the registration process or your account login, please contact contact support. |
|
Security and Windows Vista A forum for discussion on security issues with Windows Vista. (microsoft.public.windows.vista.security) |
|
|
LinkBack | Thread Tools | Display Modes |
|
|||
Enable real Administrator & set password so I can install driv
Leave it disabled. There is no reason to use that account. Your personal
administrator account will work exactly the same. The built-in Administrator (note the capitalization) account is for disaster recovery purposes only. Jesper: I usually recommend having two Admin gp user accts enabled in case one gets locked out as happened to me recently (I usually set Acct Lockout Threshold policy to 10 invalid attempts). Also, I rename both Admin and Guest user accts. |
|
|||
Enable real Administrator & set password so I can install driv
I need to amend my previous post. Susan Bradley (Microsoft SBS MVP
http://msmvps.com/blogs/bradley) and Amy Babinchak (Microsoft ISA MVP http://isainsbs.blogspot.com/) conspired to remind me of something this morning. While the two scenarios I listed are the only ones in the OS (at least they should be) where the Administrator account is treated differently from any other administrator, there are other situations where the built-in Administrator account is needed to perform some task. Poorly written software sometimes does access checks based on the account rather than based on group membership. Probably the most egregious example of that is Microsoft's own Small Business Server (SBS) 2003, which basically cannot be effectively administered from any other administrative account than the built-in Administrator account. Amy related a story about a piece of Belkin software that did the same, which Susan wrote up: http://msmvps.com/blogs/bradley/arch...ve-rights.aspx Do not take this to mean that you should re-enable the Administrator account and use it on a regular basis. Rather, if software requires use of the Administrator account take it as an indication that the software is broken and needs to be fixed. If the vendor refuses to provide a version that works properly, and there is no other vendor providing this functionality in a properly working piece of software, then you should use the built-in Administrator account to get it to work; but you would be well advised not to make a habit of it. --- Your question may already be answered in Windows Vista Security: http://www.amazon.com/gp/product/047...otectyourwi-20 |
|
|||
Enable real Administrator & set password so I can install driv
Jesper, thanks for all your help on this! I reset the password for the
Administrator last night, and did all my driver and software installs using the Administrator-group account. I didn't get any strange errors during the driver installations, and all the software is working great. I may even try to force a BSOD just so I can see how the safe mode/recovery option works with the Administrator account. I'm looking forward to the release of your Vista book! In the meantime, I'll be visiting the hardware store to figure out how I can securely bolt my computer to the floor and walls without it looking too rack-like! (laughs) "Jesper" wrote: I was shocked to see the local Admin account disabled and figured there must be a special "tech" reason behind it. Not really. There were really two main reasons it was disabled. First, far too many people used that account on a daily basis, endangering themselves when they were surfing the web by using an administrative account. This contravened the principle of least privilege; and, as that account is exempt from UAC, using it nullifies the benefits of UAC. Second, using a single administrative account for all administrators violates the security principle of accountability. It is not particularly hard to do so anyway as an administrator, but why make it easier for people to avoid being tracked. That's really all there was too it. The most important reason is that Microsoft is finally trying hard to get people to run as a non-admin most of the time. The physical-theft concern is something I never would've considered- thanks!! You're welcome. It is important. I actually recommend to people in large server farms to consider leaving the local Administrator password blank. I figure those servers are locked up in racks and nobody can get physical access to them. An account with a blank password cannot be used remotely since XP, so leaving it blank may actually be far better than setting a weak or crackable password on it. I know I would have been foiled, at least temporarily, on more than one pen-test had the local admin account password been blank. So you're saying it's OK to enable the Administrator account, log onto it, set a password for it, and then disable it again? (I don't like to force a password reset from another account if I don't have to.) It won't defeat any feature of Vista that expected a blank password (such as crash recovery)? Personally, I would just as soon reset it. That way you don't need to enable the account at all. It's up to you though. You can also use a tool such as passgen to manage that password: http://www.protectyourwindowsnetwork.com/tools.htm --- Your question may already be answered in Windows Vista Security: http://www.amazon.com/gp/product/047...otectyourwi-20 |
|
|||
Enable real Administrator & set password so I can install driv
I may even try
to force a BSOD just so I can see how the safe mode/recovery option works with the Administrator account. You don't need to go to that length to try it. Just boot from your Vista DVD and select "repair". That gives you an option to open a recovery console. I'm looking forward to the release of your Vista book! In the meantime, I'll be visiting the hardware store to figure out how I can securely bolt my computer to the floor and walls without it looking too rack-like! (laughs) You know you will have to take a picture of your creation and post it right! :-) |
|
Thread Tools | |
Display Modes | |
|
|