Does Administrator account provide attack route?

[ThomasHedden]

I just installed Windows 7 Ultimate from scratch. I am aware that there is a built-in Administrator account that can be enabled, which I have not done. I am curious whether this account presents a possible point of entry for an attack, in particular a remote attack when the computer is connected to the Internet, and if so, what is the best way of protecting one's computer. For example, can the account be enabled, given a strong password, and then disabled again? Will the password still apply if the account is re-enabled? Or is it possible to enable it, apply a strong security policy to it, and then disable it again? Any ideas?

 

[andrew129260]

For example, can the account be enabled, given a strong password, and then disabled again?

Yes do that

 

[LMiller7]

The Administrator account is the most powerful user account in the system and access to it should be controlled. A password is one of the first lines of defense against unauthorized access. By default it has no password but this is a serious security risk and intended only as a temporary situation. You should give it a good password and preferably disable it. Normally the system will disable the administrator account when the first admin level account is created. Like any other account, enabling and disabling the account has no effect on the password.

 

[Alejandro85]

When kept disabled, user accounts pose NO security risks, even with no or weak passwords, since no one will be able to login with them. As long as the built-in administrator account is disabled, it will not give any additional attack surface than your own account (if you do enable it for whatever reason, then yes, be sure to give a good password).

To make use of a disabled account, it must be first be enabled. And for enabling a user account, you must have administrator privileges. That make sort of pointless to arrange an attack to enable the built-in one, as if you're able, you've already been elevated to admin, so attackers will use possibly that other account to achieve full-control over your system, without the need for the "administrator" account.

There is one more additional risk, that involves mounting an offline system. Provided they've got physical access, they can simply enable or change the password of any account in the system, using one of the many well-known tools for managing accounts offline. Remember that, security-wise, physical access means game over, the attacker won.

The Administrator account is the most powerful user account in the system

Not really. In Windows all administrator accounts are equal. It's a common myth spread in this forum. The only special thing about it's being built-in and that cannot be deleted, but other than that, it can do whatever any other admin account can do.
Besides, there are two more "powerful" levels beyond the administrator group. The built-in SYSTEM account, used to run many of the built-in services and many others, that can have control of programs and objects running in any account, not just it's own. And kernel-mode drivers, that have control over the whole OS memory, processing and every internal data structure, as well as direct access to all hardware.

 

[Tookeri]

There is one more additional risk, that involves mounting an offline system. Provided they've got physical access, they can simply enable or change the password of any account in the system, using one of the many well-known tools for managing accounts offline. Remember that, security-wise, physical access means game over, the attacker won.

Not necessarily. I use the very-easy-to-enable EFS and set a long password to my account, > 20 chars, then no program can "find out" your password and they have to set a new password. If they do that then they at least won't have access to the EFS encrypted files, which basically are all my private important files: documents, mail, pictures etc.
If you start using EFS make sure you backup the certificate!!

 

[ThomasHedden]

When kept disabled, user accounts pose NO security risks, even with no or weak passwords, ...
[snip]
Remember that, security-wise, physical access means game over, the attacker won.

These are good points, and I understand them. However, there are still a few things I am concerned about. First, the Administrator account has the same problem that the "root" account does in Unix systems: everyone knows the name of the account and knows that if you can get into this one account you can do anything. In Windows, there can be other accounts with Administrator privileges, but as far as I know a person trying to break into the system from outside has no way of knowing whether an account has administrator privileges (is this true?). The Administrator account, like the Unix root account, is an obvious target. Another thing that I find worrisome is that if someone should gain even MOMENTARY access to your computer ("Can I just check e-mail real quick?"), then he could enable the Administrator account with no password, and then return later to do his dirty work. There is a similar problem when installing new software: a website could offer downloads of popular, safe SW and bundle it in an installer that also enables the Administrator account. There would be no obvious change to the computer or symptoms of malware, because the desired SW actually IS installed, and nothing is done except to enable the Administrator account. Then, an attacker can return at a later time to gain entry. One other question: If the Administrator account is enabled, will it ALWAYS show up on the login screen that shows the users and prompts you to log on? Is there any way for it to be hidden if it has been enabled? If it always appears on the login screen, then it will be obvious to the user.

 

[Tookeri]

Another thing that I find worrisome is that if someone should gain even MOMENTARY access to your computer ("Can I just check e-mail real quick?"), then he could enable the Administrator account with no password, and then return later to do his dirty work.

A simple solution for this: Never let someone else use your admin account! Use the "Switch user" option next to Shutdown and Restart, and log in as a standard user instead. That's what I do. I've even restricted what applications are allowed with Parental Control.

Regarding seeing user names at the log on screen, I believe this is what you want: Require users to type both user name and password
http://www.sevenforums.com/tutorials/61650-log-user-name-password.html

 

[Tookeri]

This is not perhaps what you want, but another thing you can do to tighten the security is to set a startup password:

http://www.sevenforums.com/tutorials/243880-syskey-set-startup-password-lock-unlock-windows.html