HomeUser requestng help w MBSA 2.1 results

Discussion in 'Windows Vista Security' started by Paul, Jul 19, 2007.

  1. Paul

    Paul Guest

    Hello everyone,

    I'm a home user and I got some STARTLING results after running a security
    scan using Microsoft's Baseline Security Analyzer Beta 2.1

    It spotted a user account on my computer that I didn't even know existed !

    In the UAC, I set up a standard user account (called "P & L") for everyday
    use. I also set up an administrator account (called "root"), to use whenever
    I have to make system changes. The report from MBSA showed an additional
    administrator account called "administrator" !

    How did it get there ? More importantly, how do I get rid of it ? We do
    not need two administrators.
     
    Paul, Jul 19, 2007
    #1
    1. Advertisements

  2. Paul

    Paul Guest

    I forgot to mention that this "administrator" account does not show up in the
    UAC. The "root" account appears there, "P & L" appears, "guest" appears but
    is turned off. I'm running Vista home basic.
    ____________________________________
     
    Paul, Jul 19, 2007
    #2
    1. Advertisements

  3. "Administrator" is the real default admin account that is disabled by
    default on your system. it is that only account that is not subject to UAC
    or any of the other restrictions that are placed even on accounts such as
    your root that re members of the administrators local group - so as you
    think of hem as admin accounts.
    It is meant to be there and disabled by default.
    It should not be used except in extreme circumstances as your "root\2 will
    do for all your admin needs.
     
    Mike Brannigan, Jul 19, 2007
    #3
  4. Paul

    Jimmy Brush Guest

    Hello,

    This is normal.

    The "Administrator" account is the built-in admin account. It is
    disabled by default, and in fact, the only time it becomes visible and
    usable (by default) is if you delete/disable all your other
    administrator accounts and restart the computer in safe mode.

    If you're hooked to a domain, this account is never available for use by
    default.

    You can view and tinker with this account using an elevated command
    prompt with the "net user" command.

    - JB
     
    Jimmy Brush, Jul 19, 2007
    #4
  5. Paul

    Paul Guest

    This is interesting, Mike. Perhaps I should delete "root" and make this
    "administrator" account my new "root" account. You say it shouldn't be used
    unless there are 'extreeme circustances'. What are these extreeme
    circmstances ?

    I rarely log into my "root" account. I log into my "root" account when I
    have to do a series of administrative tasks that would, otherwise, require me
    to right-click and "run as administrator" many times in succession.

    Funny, I thought that my "root" gave me complete and unhindered access to
    all files and folders. I didn't realize there was something "higher up".

    Sincerely,
    Paul
    ______________________________
     
    Paul, Jul 20, 2007
    #5
  6. Paul

    Paul Guest

    Hello Jimmy, this is all news. Wow. The question now is whether or not I
    should delete the "root" acount that I have been been using, and use this
    "Administrator" account as my new root account. Are there any hazards to
    doing this? I'm asking this because I'd like a minimum of administrator
    accounts floating around.
    _______________________________________
     
    Paul, Jul 20, 2007
    #6

  7. Interesting question - the "Administrator" account could be enabled or day
    to day use - but is extremely highly privileged in that it will ignore
    pretty much all the other security protections that are even in place around
    your root account. While some people object to the User Account Control
    popping up and checking if you really want to do something it is there for
    your protection so using the Administrator account may pose a risk to you
    and your system - imagine accidently opening a file with a day zero exploit
    root kit or virus in it and this is now going to execute with absolutely
    nothing to stop it doing anything to hide itself and damage your system,
    etc.

    I would advise keep your root account and use that as you day to day admin -
    you are unlikely to even need the big A admin account.
    Indeed an account that is made an administrator (small "a") is indeed an
    admin account but it is still subject to UAC and potentially requiring you
    to confirm some actions etc and some applications may require addiotnal
    confirming permission elevation etc. The Administrator account bypasses all
    of this but obviously there is an inherent risk too, to your systems
    security by running asks under extremely highly privileged accounts.
     
    Mike Brannigan, Jul 20, 2007
    #7
  8. Paul

    Jimmy Brush Guest

    Well, there are some "negatives" to using the Administrator account.

    1) By default, it runs outside of UAC. This reduces the security of your
    computer while you are logged in with that account. However, you can use
    local security policy to change this behavior and leave UAC on while
    logged in to this account.

    2) It is well known by attackers - it's better IMHO to have and use a
    custom admin account with a custom name and account id.

    - JB
     
    Jimmy Brush, Jul 20, 2007
    #8
  9. Paul

    Paul Guest

    I see your point, Mike, and it makes sense. It's foolish not to have the UAC
    security safety net. However, is there a way to configure UAC and those
    other protections so that they run while logged into, or using priveleges of,
    that "big Administrator" account. Would this be secure? If it's a BIG
    production to do this, then I'll just forget about it.

    The reason why I'm asking is that security people say there should be a
    minimum of administrator accounts floating around.

    One last question on a slightly different topic. Since the discovery of
    this account, I did some exploring around. I discovered the existence of a
    SYSTEM user group and the existence of an INTERACTIVE user group. What are
    these groups ? These are in the security properties of many files.

    Regards,

    Paul

    ▬▬▬▬▬▬▬▬▬▬
     
    Paul, Jul 21, 2007
    #9
  10. Paul

    Paul Guest

    This implies that even with UAC configured to run on this account, this
    account would be less secure that my "root" account. It probably is a good
    idea to forget this idea altogether.

    A last question, do you know what the SYSTEM and INTERACTIVE user groups
    are ? I find that they are in the right-click security properties of many
    files and programs.

    Sincerely,

    Paul

    ▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬
     
    Paul, Jul 21, 2007
    #10
  11. Paul

    Jimmy Brush Guest

    SYSTEM is a user account, not a group. Actually, it is better to
    consider it as a "system account" instead of a user account. The SYSTEM
    account is the most privileged account on the local computer.

    There are a few other system accounts, including local service and
    network service. These other accounts have less power than SYSTEM, and
    they are used when access to all privileges are not needed.

    Operating system processes, services, and task scheduler entries can run
    in the system accounts.

    These are not traditional user accounts in the sense that users do not
    log in as them - only the programs that I just mentioned. These accounts
    do not have a password, and a program can only run inside of a system
    account if it is started by the operating system or another program
    running inside of a system account.

    The "INTERACTIVE" group is an implicit group.

    An implicit group is a group where its members are controlled by the
    operating system. You cannot add/remove a user from implicit groups.

    These groups are used by the Operating System to "tag" user accounts as
    they are logged in, and they generally describe the type of logon that
    the user did (e.g., network, interactive, ntlm authentication,
    authenticated user).

    These groups are used in security permissions to assign rights based on
    this information. For example, using these groups, you can allow
    interactive logins but disallow other types (such as people logged in
    via networking [smb]).

    - JB
     
    Jimmy Brush, Jul 21, 2007
    #11
  12. Paul

    Paul Guest

    That does answer my question. All these accounts are obviously things that I
    have no reason to fool around with.

    Thanks for your time and help.

    Sincerely,

    Paul
    _________________________________

     
    Paul, Jul 22, 2007
    #12
  13. No you cannot do that. The Administrator account is there to bypass those
    restrictions. If you want an admin account that is covered by UAC etc then
    just create a admin account - which you did as your root account.
    Correct and you have ONE on your system that is actually usable and that is
    your root account as Administrator is disabled by default.
    Correct - they are system level security principals - do not remove them
    from any access control lists or permissions property sheets as they are
    required for Windows to do what it needs to do.
    You can find out more about them on any internet search engine, if you are
    that interested, otherwise leave them alone.
     
    Mike Brannigan, Jul 23, 2007
    #13
  14. Paul

    Paul Guest

    Well, I learned a few things here; this was informative. I will definitely
    leave this alone.

    Thanks for your time and help,

    Paul

    ▬▬▬▬▬▬▬▬▬▬
     
    Paul, Jul 25, 2007
    #14
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.