Securing the Administrator account in Active Directory
You may be thinking this should be common knowledge but time and time again I see directories with the Administrator account still in the “Domain Admins” group and active!
Before you do this, ensure you are not using the domain administrator account for authenticating!
I always follow a simple step process to securing the Administrator account:
- Remove from “Domain Admins” group
- Rename the account
- Move the account to a different folder within Active Directory folders OU’s
- Change the password to 56 character set
- Disable account (you cannot remove it)
- Create a new account
Before you can remove the domain admins group you will need to add the domain users group and set it as the primary group.
When renaming the account, you can simply right click on the account and click “rename”. I usually change this to something obscure to make it harder to know it was the administrator account in the past. This doesn’t stop someone trying to attack it as it could be traced back to the SID as all administrator account SIDs end with a 500.
I highly recommend using a random password generator for changing the password, for my example I use the one inbuilt into KeePass. I have used every type of character possible with a 56 character length giving a total of 282bits of encryption goodness.
Don’t worry, I didn’t actually use this password!
When creating a new account, try and come up with a name that hasn’t been used before, so before you think sysadmin is a name, don’t, other people use it!
This might not be full proof but it will deter most attacks unless someone is targeting you for a particular reason.
“You can never completely defend against an attack but you can make it so hard for the attacker that they will change the target to something easier”
Should you have any questions, comments or suggestions, please don’t hesitate to comment below. If you like what you have read, please share it on your favourite social media medium.