Do you use a standard local admin account?
Last updated by Brady Stroud [SSW] almost 2 years ago.See historyHaving a local admin account that is not the built-in admin account Windows creates at first is an important way to get access back to your system if any troubles arise.
When first setting up, Windows creates a local administrator account that can change everything in the system – this account cannot be deleted, just disabled. It is good practice to disable this account and create a new one, following your own company password and naming standard, that is also a local administrator on the PC.
It is also good practice to use a script (or Group Policy) to set that admin account, fewer errors than doing it manually.
Have a look at SSW SysAdmins' script for that: https://github.com/SSWConsulting/SSWSysAdmins.LocalAdminAccount
Having a local admin has many benefits, including:
- “Backdoor” or offline access if no domain controller is available to serve login requests e.g. no internet, remote locations
- Consistent admin user across all devices e.g. no need to guess which password or user was created for that machine
But it also has cons:
- If an attacker gets the username and password for that admin account, it can control any machine – Important to have a different admin account for different types of services e.g. servers, BYO devices, laptops, desktops
- If a password is compromised, changing the password of all devices might be cumbersome
