When you set up an Active Directory (AD) domain, it automatically creates an Administrator account for that domain. Because the domain Administrator account is responsible for controlling all the objects in the domain, it's a common target for malicious activity. You can tighten your domain's security by changing the name of this account and putting a dummy account in its place. This is simple to do:
- Rename the domain Administrator account to something else, such as DOM-ADMIN. Changing the name won't affect the account's default permissions or rights.
- Create a non-administrator account, name it Administrator, then disable this dummy account.
- Set up auditing for failed security events for the newly created dummy account.
Once the dummy account is being audited, you should periodically check the event logs for failed security events. The events will most likely be due to
- Someone trying to hack your domain. Unaware of the name change, hackers will use the default name Administrator in their malicious attempts.
- Incorrectly configured applications. If someone has incorrectly configured an application (e.g., backup software) to use the domain Administrator account, the application will start to fail after the name change and generate failed security events.
No matter whether a failed security event is due to a malicious attack or an incorrectly configured application, you have a problem.
Note that every member server and client has a local Administrator account, so setting up a dummy domain Administrator account won't protect the member servers or clients. However, you can set up dummy accounts for local Administrator accounts as well.