In Active Directory, a built-in administrator account is created during domain setup. This account is a member of the "Domain Admins" and "Administrators" groups by default, and can also be a member of the "Enterprise Admins" group.
To secure this account, perform the following settings:
1. In the account properties, check the boxes:
- Smart card is required for interactive logon;
- Account is sensitive and cannot be delegated.
2. Add the following settings to the domain group policy along the path "Computer Configuration->Policies->Windows Settings->Security Settings->Local Policies->User Rights Assignment" for the built-in administrator account:
- Deny access to this computer from the network;
- Deny log on as a batch job;
- Deny log on as a service;
- Deny log on through Remote Desktop Services.
No comments:
Post a Comment