Windows 7 Forums

Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: Does Administrator account provide attack route?

15 Sep 2014   #1
ThomasHedden

Windows 7 Ultimate x64
 
 
Does Administrator account provide attack route?

I just installed Windows 7 Ultimate from scratch. I am aware that there is a built-in Administrator account that can be enabled, which I have not done. I am curious whether this account presents a possible point of entry for an attack, in particular a remote attack when the computer is connected to the Internet, and if so, what is the best way of protecting one's computer. For example, can the account be enabled, given a strong password, and then disabled again? Will the password still apply if the account is re-enabled? Or is it possible to enable it, apply a strong security policy to it, and then disable it again? Any ideas?


My System SpecsSystem Spec
.
15 Sep 2014   #2
andrew129260

Windows 10 Pro
 
 

Quote   Quote: Originally Posted by ThomasHedden View Post
For example, can the account be enabled, given a strong password, and then disabled again?
Yes do that
My System SpecsSystem Spec
15 Sep 2014   #3
LMiller7

Windows 7 Pro 64 bit
 
 

The Administrator account is the most powerful user account in the system and access to it should be controlled. A password is one of the first lines of defense against unauthorized access. By default it has no password but this is a serious security risk and intended only as a temporary situation. You should give it a good password and preferably disable it. Normally the system will disable the administrator account when the first admin level account is created. Like any other account, enabling and disabling the account has no effect on the password.
My System SpecsSystem Spec
.

15 Sep 2014   #4
Alejandro85

Windows 7 Ultimate x64
 
 

When kept disabled, user accounts pose NO security risks, even with no or weak passwords, since no one will be able to login with them. As long as the built-in administrator account is disabled, it will not give any additional attack surface than your own account (if you do enable it for whatever reason, then yes, be sure to give a good password).

To make use of a disabled account, it must be first be enabled. And for enabling a user account, you must have administrator privileges. That make sort of pointless to arrange an attack to enable the built-in one, as if you're able, you've already been elevated to admin, so attackers will use possibly that other account to achieve full-control over your system, without the need for the "administrator" account.

There is one more additional risk, that involves mounting an offline system. Provided they've got physical access, they can simply enable or change the password of any account in the system, using one of the many well-known tools for managing accounts offline. Remember that, security-wise, physical access means game over, the attacker won.


Quote   Quote: Originally Posted by LMiller7 View Post
The Administrator account is the most powerful user account in the system
Not really. In Windows all administrator accounts are equal. It's a common myth spread in this forum. The only special thing about it's being built-in and that cannot be deleted, but other than that, it can do whatever any other admin account can do.
Besides, there are two more "powerful" levels beyond the administrator group. The built-in SYSTEM account, used to run many of the built-in services and many others, that can have control of programs and objects running in any account, not just it's own. And kernel-mode drivers, that have control over the whole OS memory, processing and every internal data structure, as well as direct access to all hardware.
My System SpecsSystem Spec
16 Sep 2014   #5
Tookeri

Windows 7 Pro 32
 
 

Quote   Quote: Originally Posted by Alejandro85 View Post
There is one more additional risk, that involves mounting an offline system. Provided they've got physical access, they can simply enable or change the password of any account in the system, using one of the many well-known tools for managing accounts offline. Remember that, security-wise, physical access means game over, the attacker won.
Not necessarily. I use the very-easy-to-enable EFS and set a long password to my account, > 20 chars, then no program can "find out" your password and they have to set a new password. If they do that then they at least won't have access to the EFS encrypted files, which basically are all my private important files: documents, mail, pictures etc.
If you start using EFS make sure you backup the certificate!!
My System SpecsSystem Spec
16 Sep 2014   #6
ThomasHedden

Windows 7 Ultimate x64
 
 

Quote   Quote: Originally Posted by Alejandro85 View Post
When kept disabled, user accounts pose NO security risks, even with no or weak passwords, ...
[snip]
Remember that, security-wise, physical access means game over, the attacker won.
These are good points, and I understand them. However, there are still a few things I am concerned about. First, the Administrator account has the same problem that the "root" account does in Unix systems: everyone knows the name of the account and knows that if you can get into this one account you can do anything. In Windows, there can be other accounts with Administrator privileges, but as far as I know a person trying to break into the system from outside has no way of knowing whether an account has administrator privileges (is this true?). The Administrator account, like the Unix root account, is an obvious target. Another thing that I find worrisome is that if someone should gain even MOMENTARY access to your computer ("Can I just check e-mail real quick?"), then he could enable the Administrator account with no password, and then return later to do his dirty work. There is a similar problem when installing new software: a website could offer downloads of popular, safe SW and bundle it in an installer that also enables the Administrator account. There would be no obvious change to the computer or symptoms of malware, because the desired SW actually IS installed, and nothing is done except to enable the Administrator account. Then, an attacker can return at a later time to gain entry. One other question: If the Administrator account is enabled, will it ALWAYS show up on the login screen that shows the users and prompts you to log on? Is there any way for it to be hidden if it has been enabled? If it always appears on the login screen, then it will be obvious to the user.
My System SpecsSystem Spec
17 Sep 2014   #7
Tookeri

Windows 7 Pro 32
 
 

Quote   Quote: Originally Posted by ThomasHedden View Post
Another thing that I find worrisome is that if someone should gain even MOMENTARY access to your computer ("Can I just check e-mail real quick?"), then he could enable the Administrator account with no password, and then return later to do his dirty work.
A simple solution for this: Never let someone else use your admin account! Use the "Switch user" option next to Shutdown and Restart, and log in as a standard user instead. That's what I do. I've even restricted what applications are allowed with Parental Control.

Regarding seeing user names at the log on screen, I believe this is what you want: Require users to type both user name and password
Log On with User Name and Password
My System SpecsSystem Spec
17 Sep 2014   #8
Tookeri

Windows 7 Pro 32
 
 

This is not perhaps what you want, but another thing you can do to tighten the security is to set a startup password:

SysKey - Set Startup Password to Lock or Unlock Windows
My System SpecsSystem Spec
Reply

 Does Administrator account provide attack route?




Thread Tools Search this Thread
Search this Thread:

Advanced Search




Similar help and support threads
Thread Forum
User Administrator Account won't allow Administrator Privilages
Hi, I'm running Win 7 Pro x64 and Office 2007. I installed a Bluetooth transceiver recently and developed a problem when replying to email in Outlook 2007. When I select an email to reply, the email editor pops up with a "Custom UI Runtime Error in Send to Bluetooth." The solution to this issue...
General Discussion
need to provide administrator permission to change these settings
I recently re-installed Windows 7 and all of a sudden I was having access denied problems which had never occurred before. I have managed to fix all of these apart from one:- When I try to change the icon via the properties of a desktop item I get:- "you will need to provide administrator...
General Discussion
Quasi-Administrator account versus a true Adminstrator Account?
Hello to all, I am using W7 Ultimate 64 bits. I am have a what has been described on this forum as a quasi-administrator account. It is not called Administrator but seems to function as one. UAC prompts, when admin rights required in user accounts, this account's password will fulfil the...
General Discussion
Renaming the administrator account back to Administrator
Hi, I have an Acer laptop which came with one user account, Acer, with the administrator right. When I tried to rename it to Administrator or administrator, I got an messages saying that user name has already existed. How do I rename Acer to Administrator? Thanks.
General Discussion
Default User Account (Administrator) acts like Standard Account
I am using Windows 7 Pro 64x and apparently the default user account (Owner) that I use is not working correctly. Unless I have UAC set to Never Notify, I cannot open Control Panel or UAC again. When I try, I get the error message listed below. I have created a second user account as Administrator...
General Discussion
You'll need to provide administrator permission to delete this folder.
I have tried everything to delete this folder. I was able to delete the file in the folder, but the folder itself won't delete. It won't delete in safe mode either. If I scan the folder or right click properties, it shows an object in the folder. If I check the "show hidden files" box, nothing is...
General Discussion


Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd

All times are GMT -5. The time now is 17:30.

Twitter Facebook Google+



Windows 7 Forums

Seven Forums Android App Seven Forums IOS App