Secure Windows Server 2003 Built-in Accounts

Applies To: Windows Server 2003, Windows Server 2003 with SP1

After the installation of Microsoft® Windows® Server 2003, the built-in accounts Administrator and Guest exist on the Web server. In some instances, potential attackers can exploit these well known accounts unless they are renamed or disabled.

The Administrator account can be renamed, but cannot be disabled. The Guest account can be renamed and disabled. To help prevent potential attackers from exploiting these accounts, do the following:

  • Rename the Administrator account.

  • Rename and disable the Guest account.

Requirements

  • Credentials: Membership in the Administrators group on the local computer.

  • Tools: Iis.msc.

Recommendation

As a security best practice, log on to your computer using an account that is not in the Administrators group, and then use the Run as command to run IIS Manager as an administrator. At the command prompt, type **runas /user:**administrative_accountname mmc %systemroot%\system32\inetsrv\iis.msc.

Procedures

To rename the Administrator user account

  1. In Control Panel, click Administrative Tools, and then click Computer Management.

  2. In the console tree, expand Local Users and Groups, and then click Users.

  3. In the details pane, right-click Administrator, and then click Rename.

  4. Type the new user name, and then press ENTER.

To disable and rename the Guest user account

  1. In Control Panel, click Administrative Tools, and then click Computer Management.

  2. In the console tree, expand Local Users and Groups, and then click Users.

  3. In the details pane, right-click Guest, and then click Properties.

  4. In the Guest Properties dialog box, on the General tab, click the Account is disabled check box, and then click OK.

  5. In the Details pane, right-click Guest, and then click Rename.

  6. Type the new user name, and then press ENTER.