Welcome to Vista Banter. You are currently viewing our boards as a guest which gives you limited access to view most discussions, articles and access our other FREE features. By joining our free community you will have access to ask questions and reply to others posts, upload your own photos and access many other special features. Registration is fast, simple and absolutely free so please, join our community today! If you have any problems with the registration process or your account login, please contact contact support. |
|
Security and Windows Vista A forum for discussion on security issues with Windows Vista. (microsoft.public.windows.vista.security) |
|
|
LinkBack | Thread Tools | Display Modes |
|
|||
Enable real Administrator & set password so I can install drivers/software?
Hello everyone,
I've always used Windows as a "limited user". When I needed to update drivers, install software, or configure security, I would log in as the local Administrator, perform that work, and log back in as my limited user account. I planned to do the same at home with Vista- but after installing Vista Ultimate, I saw that it disabled the real Administrator account. I created another account for myself as a standard user. The machine now has three accounts- the disabled "real" Administrator, my Administrator-group account, and my standard-user account. Should I enable the real Administrator account, set a password for it, and install my drivers and software? Then I could delete that Administrator-group "second" account, and just have two accounts on the machine- real Admin and standard user. Or should I leave the real Administrator account disabled and do my setup with the second Administrator-group account? I read something about the real Administrator account becoming enabled if Windows had to boot into safe mode; should the real admin be left disabled without a password? Thanks! |
|
|||
Enable real Administrator & set password so I can install drivers/software?
You won't need that account. By default, Vista will attempt to elevate
(and inform you via UAC) when installing applications. - Rafael Thomas H wrote: Hello everyone, I've always used Windows as a "limited user". When I needed to update drivers, install software, or configure security, I would log in as the local Administrator, perform that work, and log back in as my limited user account. I planned to do the same at home with Vista- but after installing Vista Ultimate, I saw that it disabled the real Administrator account. I created another account for myself as a standard user. The machine now has three accounts- the disabled "real" Administrator, my Administrator-group account, and my standard-user account. Should I enable the real Administrator account, set a password for it, and install my drivers and software? Then I could delete that Administrator-group "second" account, and just have two accounts on the machine- real Admin and standard user. Or should I leave the real Administrator account disabled and do my setup with the second Administrator-group account? I read something about the real Administrator account becoming enabled if Windows had to boot into safe mode; should the real admin be left disabled without a password? Thanks! |
|
|||
Enable real Administrator & set password so I can install drivers/software?
I'm sorry for the confusion; I do understand UAC. I plan, no matter what,
to use a Limited User Account (LUA, not in the Administrators group) for my daily computer use. My question is mainly about whether or not I should enable the real Administrator account and set a strong password for it, or if I should leave the real Administrator account disabled? Thanks! "Rafael R. [Live Butterfly]" wrote in message ... You won't need that account. By default, Vista will attempt to elevate (and inform you via UAC) when installing applications. - Rafael Thomas H wrote: Hello everyone, I've always used Windows as a "limited user". When I needed to update drivers, install software, or configure security, I would log in as the local Administrator, perform that work, and log back in as my limited user account. I planned to do the same at home with Vista- but after installing Vista Ultimate, I saw that it disabled the real Administrator account. I created another account for myself as a standard user. The machine now has three accounts- the disabled "real" Administrator, my Administrator-group account, and my standard-user account. Should I enable the real Administrator account, set a password for it, and install my drivers and software? Then I could delete that Administrator-group "second" account, and just have two accounts on the machine- real Admin and standard user. Or should I leave the real Administrator account disabled and do my setup with the second Administrator-group account? I read something about the real Administrator account becoming enabled if Windows had to boot into safe mode; should the real admin be left disabled without a password? Thanks! |
|
|||
Enable real Administrator & set password so I can install drivers/software?
Thomas H wrote:
Hello everyone, I've always used Windows as a "limited user". When I needed to update drivers, install software, or configure security, I would log in as the local Administrator, perform that work, and log back in as my limited user account. I planned to do the same at home with Vista- but after installing Vista Ultimate, I saw that it disabled the real Administrator account. I created another account for myself as a standard user. The machine now has three accounts- the disabled "real" Administrator, my Administrator-group account, and my standard-user account. Should I enable the real Administrator account, set a password for it, and install my drivers and software? Then I could delete that Administrator-group "second" account, and just have two accounts on the machine- real Admin and standard user. Or should I leave the real Administrator account disabled and do my setup with the second Administrator-group account? I read something about the real Administrator account becoming enabled if Windows had to boot into safe mode; should the real admin be left disabled without a password? In Vista, the Administrator account is enabled if: a) There are no other administrator accounts on the machine, and b) You're logging in in safe mode. This is so that if you delete all the administrator accounts, you can recover the machine without wiping everything. Note that you probably don't want to use two accounts - UAC solves those security issues in a much more elegant way. Alun Harford |
|
|||
Enable real Administrator & set password so I can install drivers/software?
Keep a backup account. Safe Mode is supposed to re-enable the buit-in admin
account in a bind, but it's got a bug where if you've got a non-welcome screen (and hence unaccessible) admin account - such as a Media Center Extender account - Safe Mode will not re-enable the built-in admin, and you will be locked out. |
|
|||
Enable real Administrator & set password so I can install driv
Leave it disabled. There is no reason to use that account. Your personal
administrator account will work exactly the same. The built-in Administrator (note the capitalization) account is for disaster recovery purposes only. If your computer is NOT physically secured (such as a laptop or a business computer) then you should absolutely set a password on the Administrator account; and write that password down on something secure that you store away in a safe place. A great option is to pick a relatively long (20-25 characters) phrase as the password, write it on a piece of paper, and put it in a safe. In prior versions of Windows there were special powers granted to the Administrator that "regular" administrators did not have. With only two exceptions that I am aware of, that is no longer the case. The two exceptions a 1. The Administrator account is not subject to User Account Control. All other administrators, except for the Administrator account on a domain, if any, are. 2. If there are no other local administrators on the computer, then the Administrator account can log on to the recovery console even if it is disabled. A user that is a member of the Administrators group cannot do that if it is disabled. I am not aware of any other special powers granted to Administrator that other members of the Administratrors group do not have. --- Your question may already be answered in Windows Vista Security: http://www.amazon.com/gp/product/047...otectyourwi-20 "Thomas H" wrote: I'm sorry for the confusion; I do understand UAC. I plan, no matter what, to use a Limited User Account (LUA, not in the Administrators group) for my daily computer use. My question is mainly about whether or not I should enable the real Administrator account and set a strong password for it, or if I should leave the real Administrator account disabled? Thanks! "Rafael R. [Live Butterfly]" wrote in message ... You won't need that account. By default, Vista will attempt to elevate (and inform you via UAC) when installing applications. - Rafael Thomas H wrote: Hello everyone, I've always used Windows as a "limited user". When I needed to update drivers, install software, or configure security, I would log in as the local Administrator, perform that work, and log back in as my limited user account. I planned to do the same at home with Vista- but after installing Vista Ultimate, I saw that it disabled the real Administrator account. I created another account for myself as a standard user. The machine now has three accounts- the disabled "real" Administrator, my Administrator-group account, and my standard-user account. Should I enable the real Administrator account, set a password for it, and install my drivers and software? Then I could delete that Administrator-group "second" account, and just have two accounts on the machine- real Admin and standard user. Or should I leave the real Administrator account disabled and do my setup with the second Administrator-group account? I read something about the real Administrator account becoming enabled if Windows had to boot into safe mode; should the real admin be left disabled without a password? Thanks! |
|
|||
Enable real Administrator & set password so I can install driv
Jesper, thanks! I probably should've mentioned that I'm well-versed in
2k/XP/2k3 workstation+server+domain security. I'm just not sure what the proper procedures are for Vista, especially one that isn't joined to a domain- and I don't want to do something "old school" that ruins a new feature. I was shocked to see the local Admin account disabled and figured there must be a special "tech" reason behind it. (I've already enabled "hide last user name" in local security policy to get rid of the cute Welcome screen.) The physical-theft concern is something I never would've considered- thanks!! So you're saying it's OK to enable the Administrator account, log onto it, set a password for it, and then disable it again? (I don't like to force a password reset from another account if I don't have to.) It won't defeat any feature of Vista that expected a blank password (such as crash recovery)? Thanks, -T "Jesper" wrote in message ... Leave it disabled. There is no reason to use that account. Your personal administrator account will work exactly the same. The built-in Administrator (note the capitalization) account is for disaster recovery purposes only. If your computer is NOT physically secured (such as a laptop or a business computer) then you should absolutely set a password on the Administrator account; and write that password down on something secure that you store away in a safe place. A great option is to pick a relatively long (20-25 characters) phrase as the password, write it on a piece of paper, and put it in a safe. In prior versions of Windows there were special powers granted to the Administrator that "regular" administrators did not have. With only two exceptions that I am aware of, that is no longer the case. The two exceptions a 1. The Administrator account is not subject to User Account Control. All other administrators, except for the Administrator account on a domain, if any, are. 2. If there are no other local administrators on the computer, then the Administrator account can log on to the recovery console even if it is disabled. A user that is a member of the Administrators group cannot do that if it is disabled. I am not aware of any other special powers granted to Administrator that other members of the Administratrors group do not have. --- Your question may already be answered in Windows Vista Security: http://www.amazon.com/gp/product/047...otectyourwi-20 "Thomas H" wrote: I'm sorry for the confusion; I do understand UAC. I plan, no matter what, to use a Limited User Account (LUA, not in the Administrators group) for my daily computer use. My question is mainly about whether or not I should enable the real Administrator account and set a strong password for it, or if I should leave the real Administrator account disabled? Thanks! "Rafael R. [Live Butterfly]" wrote in message ... You won't need that account. By default, Vista will attempt to elevate (and inform you via UAC) when installing applications. - Rafael Thomas H wrote: Hello everyone, I've always used Windows as a "limited user". When I needed to update drivers, install software, or configure security, I would log in as the local Administrator, perform that work, and log back in as my limited user account. I planned to do the same at home with Vista- but after installing Vista Ultimate, I saw that it disabled the real Administrator account. I created another account for myself as a standard user. The machine now has three accounts- the disabled "real" Administrator, my Administrator-group account, and my standard-user account. Should I enable the real Administrator account, set a password for it, and install my drivers and software? Then I could delete that Administrator-group "second" account, and just have two accounts on the machine- real Admin and standard user. Or should I leave the real Administrator account disabled and do my setup with the second Administrator-group account? I read something about the real Administrator account becoming enabled if Windows had to boot into safe mode; should the real admin be left disabled without a password? Thanks! |
|
|||
Enable real Administrator & set password so I can install drivers/software?
Keith, wow, thanks, I didn't see that one on the 'net!! Looks like I'll
definately keep that second account (in the Administrator-group) around. Maybe I'll even make a third; couldn't hurt! Thanks!! -T "Keith Patrick" wrote in message ... Keep a backup account. Safe Mode is supposed to re-enable the buit-in admin account in a bind, but it's got a bug where if you've got a non-welcome screen (and hence unaccessible) admin account - such as a Media Center Extender account - Safe Mode will not re-enable the built-in admin, and you will be locked out. |
|
|||
Enable real Administrator & set password so I can install driv
I was shocked to see the local Admin account disabled and figured
there must be a special "tech" reason behind it. Not really. There were really two main reasons it was disabled. First, far too many people used that account on a daily basis, endangering themselves when they were surfing the web by using an administrative account. This contravened the principle of least privilege; and, as that account is exempt from UAC, using it nullifies the benefits of UAC. Second, using a single administrative account for all administrators violates the security principle of accountability. It is not particularly hard to do so anyway as an administrator, but why make it easier for people to avoid being tracked. That's really all there was too it. The most important reason is that Microsoft is finally trying hard to get people to run as a non-admin most of the time. The physical-theft concern is something I never would've considered- thanks!! You're welcome. It is important. I actually recommend to people in large server farms to consider leaving the local Administrator password blank. I figure those servers are locked up in racks and nobody can get physical access to them. An account with a blank password cannot be used remotely since XP, so leaving it blank may actually be far better than setting a weak or crackable password on it. I know I would have been foiled, at least temporarily, on more than one pen-test had the local admin account password been blank. So you're saying it's OK to enable the Administrator account, log onto it, set a password for it, and then disable it again? (I don't like to force a password reset from another account if I don't have to.) It won't defeat any feature of Vista that expected a blank password (such as crash recovery)? Personally, I would just as soon reset it. That way you don't need to enable the account at all. It's up to you though. You can also use a tool such as passgen to manage that password: http://www.protectyourwindowsnetwork.com/tools.htm --- Your question may already be answered in Windows Vista Security: http://www.amazon.com/gp/product/047...otectyourwi-20 |
|
|||
Enable real Administrator & set password so I can install drivers/software?
To my knowledge, I'm the only one who has been hit by this one (I had to
send my SAM file in to Microsoft to fix!). A few folks have gotten burned on the disabled built-in admin, but those people were able to use Safe Mode to get in. I had unfortunately just set up my Xbox 360 MCE stuff the day before. |
|
Thread Tools | |
Display Modes | |
|
|