When it comes to accessing accounts, the goal of every hacker is to get access to the administrator (or root) account. On Windows systems, this can especially present a problem -- the administrator account comes with no password and an obvious default name ("administrator"). While many people understand the important role this account plays in overall security, there are several misconceptions when it comes to locking it down. Let's take a look at the perception and the reality of two of the biggest myths about the Windows administrator account. Myth: Renaming this account prevents hackers from finding it Windows 2000: This is false. The Windows 2000 administrator account has a default security identifier (SID) that ends in -500. Hackers can target this account by enumerating SIDs from Active Directory or the local SAM. However, you can disable the ability to enumerate SIDs in your domain. Follow these steps: 1. Open the Active Directory Users And Computers console. 2. Right-click the domain, and select Properties. 3. On Group Policy tab, click the Default Domain Policy, and select Edit. 4. Drill-down to Computer Configuration | Windows Settings | Security Settings | Local Policies | Security Options. 5. Double-click Additional Restrictions For Anonymous Connections, and select the Define This Policy option. 6. Select Do Not Allow Enumeration Of SAM Accounts And Shares from the drop-down list. 7. Click OK, and close the console. 8. Go to Start | Run, enter cmd, and click OK. 9. At the command prompt, enter gpupdate, press [Enter], enter exit, and press [Enter]. Windows Server 2003: This is true. Windows Server 2003 allows you to completely disable the built-in administrator account. But before disabling the account, you should still disable enumeration of SIDs. You can do so by following the steps above, with one exception: Double-click Network Access (instead of Additional Restrictions For Anonymous Connections), select Allow Anonymous SID/Name Translation, and make sure you've disabled the policy. In addition, before you disable the administrator account, you should create a new administrator account. Then, follow these steps to disable the old account: 1. Log on with the new administrator account, open the Active Directory Users And Computers console, and select the Users container. 2. Right-click the name of the default administrator account, and click Properties. 3. On the Account tab, select the Account Is Disabled check box under Account Options, and click OK. Now, the only account with full administrative rights has a name known only to you -- and hackers can't enumerate SIDS to find it! Myth: You can't lock out the account after failed logon attempts Windows 2000: This is false. If you've set the security option for account lockout, you can lock out this account for network logons. (This doesn't apply to interactive or console logons.) To configure this account to lock out after x number of failed logon attempts, you need a tool called Passprop.exe. You can find this utility in the Netmgmt.cab file on the Windows 2000 Professional Resource Kit or the Windows 2000 Server Resource Kit. Windows Server 2003: This is also false! Like Windows 2000, you can use the Passprop.exe utility to set the administrator account to lock out after x number of failed logon attempts. However, keep in mind that the Windows Server 2003 version of this utility will also lock out the default administrator account (both network and interactive) after x number of failed logons. Make sure you have a backup method for unlocking this account. Final thoughts Account security is at the heart of basic security administrative best practices. That's why it's vital that you implement this security and keep your administrative rights secure.