Local Security Policy: Accounts
Security Settings > Local Policies > Security Options > Accounts: Administrator account status
By default it is enabled, but you may use this security to specify whether or not the local Administrator account is enabled or disabled.
Microsoft warns that disabling the Administrator account can be a problem under certain circumstances. If your computer is a member of a domain and the domain account security fails, you would typically log on as local admin in order to rejoin the domain (and with the account disabled it would be unavailable). Another potential issue here is that if you disable the local administrator account, and the account does not meet password requirements, you will not be able to re-enable it (another member of the Administrator group would need to reset the account password).
Note that regardless of this setting, the Administrator account is always disabled when starting Vista in “Safe Mode”.
Security Settings > Local Policies > Security Options > Accounts: Guest account status
It should be unsurprising to hear that the guest account is disabled by default. However, you can use this policy to specify otherwise if you wish.
One thing to watch out for here: if the Guest account is disabled and the “Network Access: Sharing and Security Model for local accounts” is set to “Guest Only”, network logons (like those performed by the SMB Service), will fail.
Security Settings > Local Policies > Security Options > Accounts: Limit local account use of blank passwords to console logon only
Enabled by default, this lets you specify whether or not local accounts that are not password protected can be used to logon from locations other than the physical computer console. When enabled local accounts that are not password protected will only be able to log on at the computer's keyboard.
As you know, it is recommended that computers which are not kept in a secure location should always enforce strong password policies for local user accounts. Said to be especially important for notebook and other portable systems, it should be a security concern that anyone with physical access to the computer can log on using a user account that does not have a password. Watch out here: if you apply this security policy to the “Everyone” group, no one will be able to log on through Terminal Services.
Security Settings > Local Policies > Security Options > Accounts: Rename administrator account
This is pretty cool: it is common practice for most organizations to rename the local administrator account. By doing so, hacking the account is twice as hard as the intruder must first determine the alternative administrator account name before attempting to crack the password for the account. This security setting lets you directly specify a different account name to be associated with the security identifier (SID) for the account Administrator. The default name remains “Administrator” but changing this to anything else can be an effective security tactic.
Security Settings > Local Policies > Security Options > Accounts: Rename guest account
Although you likely have it disabled anyway, this policy allows you to dictate the name of the Guest account, in the same way the above policy allows you to dictate that of the Administrator account.
Email This!
Digg it!
Sphere it!
Del.icio.us
Reddit!
Newsvine