Enable real Administrator & set password so I can install drivers/software?

Discussion in 'Windows Vista Security' started by Thomas H, Apr 2, 2007.

  1. Thomas H

    Thomas H Guest

    Hello everyone,

    I've always used Windows as a "limited user". When I needed to update
    drivers, install software, or configure security, I would log in as the
    local Administrator, perform that work, and log back in as my limited user
    account.

    I planned to do the same at home with Vista- but after installing Vista
    Ultimate, I saw that it disabled the real Administrator account. I created
    another account for myself as a standard user. The machine now has three
    accounts- the disabled "real" Administrator, my Administrator-group account,
    and my standard-user account.

    Should I enable the real Administrator account, set a password for it, and
    install my drivers and software? Then I could delete that
    Administrator-group "second" account, and just have two accounts on the
    machine- real Admin and standard user.

    Or should I leave the real Administrator account disabled and do my setup
    with the second Administrator-group account?

    I read something about the real Administrator account becoming enabled if
    Windows had to boot into safe mode; should the real admin be left disabled
    without a password?

    Thanks!
     
    Thomas H, Apr 2, 2007
    #1
    1. Advertisements

  2. You won't need that account. By default, Vista will attempt to elevate
    (and inform you via UAC) when installing applications.

    - Rafael
     
    Rafael R. [Live Butterfly], Apr 2, 2007
    #2
    1. Advertisements

  3. Thomas H

    Thomas H Guest

    I'm sorry for the confusion; I do understand UAC. I plan, no matter what,
    to use a Limited User Account (LUA, not in the Administrators group) for my
    daily computer use.

    My question is mainly about whether or not I should enable the real
    Administrator account and set a strong password for it, or if I should leave
    the real Administrator account disabled?

    Thanks!
     
    Thomas H, Apr 2, 2007
    #3
  4. Thomas H

    Alun Harford Guest

    In Vista, the Administrator account is enabled if:
    a) There are no other administrator accounts on the machine, and
    b) You're logging in in safe mode.

    This is so that if you delete all the administrator accounts, you can
    recover the machine without wiping everything.

    Note that you probably don't want to use two accounts - UAC solves those
    security issues in a much more elegant way.

    Alun Harford
     
    Alun Harford, Apr 2, 2007
    #4
  5. Keep a backup account. Safe Mode is supposed to re-enable the buit-in admin
    account in a bind, but it's got a bug where if you've got a non-welcome
    screen (and hence unaccessible) admin account - such as a Media Center
    Extender account - Safe Mode will not re-enable the built-in admin, and you
    will be locked out.
     
    Keith Patrick, Apr 2, 2007
    #5
  6. Thomas H

    Jesper Guest

    Leave it disabled. There is no reason to use that account. Your personal
    administrator account will work exactly the same. The built-in Administrator
    (note the capitalization) account is for disaster recovery purposes only.

    If your computer is NOT physically secured (such as a laptop or a business
    computer) then you should absolutely set a password on the Administrator
    account; and write that password down on something secure that you store away
    in a safe place. A great option is to pick a relatively long (20-25
    characters) phrase as the password, write it on a piece of paper, and put it
    in a safe.

    In prior versions of Windows there were special powers granted to the
    Administrator that "regular" administrators did not have. With only two
    exceptions that I am aware of, that is no longer the case. The two exceptions
    are:
    1. The Administrator account is not subject to User Account Control. All
    other administrators, except for the Administrator account on a domain, if
    any, are.
    2. If there are no other local administrators on the computer, then the
    Administrator account can log on to the recovery console even if it is
    disabled. A user that is a member of the Administrators group cannot do that
    if it is disabled.

    I am not aware of any other special powers granted to Administrator that
    other members of the Administratrors group do not have.
     
    Jesper, Apr 3, 2007
    #6
  7. Thomas H

    Thomas H Guest

    Jesper, thanks! I probably should've mentioned that I'm well-versed in
    2k/XP/2k3 workstation+server+domain security. :) I'm just not sure what
    the proper procedures are for Vista, especially one that isn't joined to a
    domain- and I don't want to do something "old school" that ruins a new
    feature. I was shocked to see the local Admin account disabled and figured
    there must be a special "tech" reason behind it. (I've already enabled
    "hide last user name" in local security policy to get rid of the cute
    Welcome screen.)

    The physical-theft concern is something I never would've considered-
    thanks!! So you're saying it's OK to enable the Administrator account, log
    onto it, set a password for it, and then disable it again? (I don't like to
    force a password reset from another account if I don't have to.) It won't
    defeat any feature of Vista that expected a blank password (such as crash
    recovery)?

    Thanks,

    -T
     
    Thomas H, Apr 3, 2007
    #7
  8. Thomas H

    Thomas H Guest

    Keith, wow, thanks, I didn't see that one on the 'net!! Looks like I'll
    definately keep that second account (in the Administrator-group) around.
    Maybe I'll even make a third; couldn't hurt!

    Thanks!!

    -T
     
    Thomas H, Apr 3, 2007
    #8
  9. Thomas H

    Jesper Guest

    I was shocked to see the local Admin account disabled and figured
    Not really. There were really two main reasons it was disabled. First, far
    too many people used that account on a daily basis, endangering themselves
    when they were surfing the web by using an administrative account. This
    contravened the principle of least privilege; and, as that account is exempt
    from UAC, using it nullifies the benefits of UAC. Second, using a single
    administrative account for all administrators violates the security principle
    of accountability. It is not particularly hard to do so anyway as an
    administrator, but why make it easier for people to avoid being tracked.
    That's really all there was too it. The most important reason is that
    Microsoft is finally trying hard to get people to run as a non-admin most of
    the time.
    You're welcome. It is important. I actually recommend to people in large
    server farms to consider leaving the local Administrator password blank. I
    figure those servers are locked up in racks and nobody can get physical
    access to them. An account with a blank password cannot be used remotely
    since XP, so leaving it blank may actually be far better than setting a weak
    or crackable password on it. I know I would have been foiled, at least
    temporarily, on more than one pen-test had the local admin account password
    been blank.
    Personally, I would just as soon reset it. That way you don't need to enable
    the account at all. It's up to you though. You can also use a tool such as
    passgen to manage that password:
    http://www.protectyourwindowsnetwork.com/tools.htm
     
    Jesper, Apr 3, 2007
    #9
  10. To my knowledge, I'm the only one who has been hit by this one (I had to
    send my SAM file in to Microsoft to fix!). A few folks have gotten burned on
    the disabled built-in admin, but those people were able to use Safe Mode to
    get in. I had unfortunately just set up my Xbox 360 MCE stuff the day
    before.
     
    Keith Patrick, Apr 3, 2007
    #10
  11. Thomas H

    CZ Guest

    Leave it disabled. There is no reason to use that account. Your personal
    administrator account will work exactly the same. The built-in Administrator
    (note the capitalization) account is for disaster recovery purposes only.

    Jesper:

    I usually recommend having two Admin gp user accts enabled in case one gets
    locked out as happened to me recently (I usually set Acct Lockout Threshold
    policy to 10 invalid attempts).

    Also, I rename both Admin and Guest user accts.
     
    CZ, Apr 4, 2007
    #11
  12. Thomas H

    Jesper Guest

    I need to amend my previous post. Susan Bradley (Microsoft SBS MVP
    http://msmvps.com/blogs/bradley) and Amy Babinchak (Microsoft ISA MVP
    http://isainsbs.blogspot.com/) conspired to remind me of something this
    morning. While the two scenarios I listed are the only ones in the OS (at
    least they should be) where the Administrator account is treated differently
    from any other administrator, there are other situations where the built-in
    Administrator account is needed to perform some task.

    Poorly written software sometimes does access checks based on the account
    rather than based on group membership. Probably the most egregious example of
    that is Microsoft's own Small Business Server (SBS) 2003, which basically
    cannot be effectively administered from any other administrative account than
    the built-in Administrator account. Amy related a story about a piece of
    Belkin software that did the same, which Susan wrote up:
    http://msmvps.com/blogs/bradley/archive/2007/04/04/the-need-for-administrative-rights.aspx

    Do not take this to mean that you should re-enable the Administrator account
    and use it on a regular basis. Rather, if software requires use of the
    Administrator account take it as an indication that the software is broken
    and needs to be fixed. If the vendor refuses to provide a version that works
    properly, and there is no other vendor providing this functionality in a
    properly working piece of software, then you should use the built-in
    Administrator account to get it to work; but you would be well advised not to
    make a habit of it.
     
    Jesper, Apr 4, 2007
    #12
  13. Thomas H

    Thomas H Guest

    Jesper, thanks for all your help on this! I reset the password for the
    Administrator last night, and did all my driver and software installs using
    the Administrator-group account. I didn't get any strange errors during the
    driver installations, and all the software is working great. I may even try
    to force a BSOD just so I can see how the safe mode/recovery option works
    with the Administrator account.

    I'm looking forward to the release of your Vista book! In the meantime,
    I'll be visiting the hardware store to figure out how I can securely bolt my
    computer to the floor and walls without it looking too rack-like! (laughs)
     
    Thomas H, Apr 5, 2007
    #13
  14. Thomas H

    Jesper Guest

    I may even try
    You don't need to go to that length to try it. Just boot from your Vista DVD
    and select "repair". That gives you an option to open a recovery console.
    You know you will have to take a picture of your creation and post it right!
    :)
     
    Jesper, Apr 5, 2007
    #14
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.