ASD's Blueprint for Secure Cloud

The default local Administrator account is a highly privileged user account found on every Windows operating system. The Administrator account is the first account that is created during the installation for all Windows client operating systems.

The Administrator account can be used to create local users and assign user rights and access control permissions. It can also be used take control of local resources at any time simply by changing the user rights and permissions.

The default Administrator account cannot be deleted or locked out, but it can be renamed and / or disabled. It is Microsoft best practice and an ASD hardening guideline recommendation to leave the Administrator account disabled and renamed.

If there is a requirement to utilise the local Administrator account in an on-premises environment, Microsoft provides Local Administrator Password Solution (LAPS), an Active Directory integrated Access Control List (ACL) protected password management tool.

LAPS gives system administrators the ability to set a different, random password for the common local administrator account on each computer in the domain and store the password for the computer’s local administrator account in Active Directory, secured in a confidential attribute in the computer’s corresponding Active Directory object.

Related information

Security & Governance

• Application Control
• Essential Eight: Restrict Microsoft Office Macros

Design

• None identified

Configuration

• ASD Windows Hardening Guidelines

References

• None identified