Administrators check
Applies To: Forefront Client Security
The Administrators SSA check identifies and lists the user accounts that belong to the local Administrators group. If more than two individual administrator accounts are detected, Client Security lists in related reports the account names as a potential vulnerability.
User accounts that belong to the local Administrators or Domain Admins groups have authority to do almost anything on the systems and networks that they have permission to access. If such an account is taken over maliciously, catastrophic harm could be done to the system or network.
The local administrator account and domain administrator accounts are excluded from this check.
Resolutions for potentially unacceptable scores
On each scanned computer assigned a Medium score, it is recommended that you review the list of members in the local Administrators and Domain Admins groups to ensure that all users with administrative authority are justified.
In general, it is recommended to keep the number of administrators to a minimum because administrators essentially have complete control over the computer.
Scoring and results
This check generates scores on two levels:
Overall
Per account
Overall scoring
The following table shows how Client Security determines the overall score resulting from assessing administrator accounts on the scanned computer.
| Score | Number of accounts with Medium score | Number of accounts with Informational score | Number of accounts with Low score | Results message |
|---|---|---|---|---|
Medium |
At least 2 |
0 or more |
0 or more |
The following number of unnecessary Local Administrators were found on this computer: number. |
Low |
Less than 2 |
0 or more |
0 or more |
Unnecessary Local Administrators were not found on this computer. |
Per account scoring
The following table shows how Client Security determines the score resulting from assessing a specific user account that is a member of the local Administrators group.
| Score | Account is a member of Domain Admins group | Account is the built-in member of the local Administrators group | Account is a member of the Group Policy Restricted group (not supported in Windows 2000) | Exclude account from count | More than one non-excluded account | Results message |
|---|---|---|---|---|---|---|
Medium |
No |
No |
No |
No |
Yes |
The following account is a member of the Local Administrators group: domain\username. |
Low |
No |
No |
No |
No |
No |
The following account is a member of the Local Administrators group: domain\username. |
Informational |
No |
Yes |
No |
Yes |
Not applicable |
The following account is the built-in member of the Local Administrators group: domain\username. |
|
No |
No |
Yes |
Yes |
Not applicable |
The following account is a member of the Local Administrators group and of a Group Policy Restricted Group: domain\username. |
|
Yes |
No |
No |
Yes |
Not applicable |
The following account is a member of the Local Administrators group: domain\username. |