Windows Server Administrator Accounts

ISO Position Paper

Position Title: Windows Server Administrator Accounts

Position Audience: Princeton IT Professionals

Contact: Information Security Office: [email protected]

Position Release Date: March 20, 2018

Problem Statement

Because of the unique characteristics of Windows with respect to the native capability of single
sign on across systems, specific care needs to take place to prevent system compromise and
unintended data access.

ISO Position

Windows Server system administrator accounts should be managed to the following criteria:

Built-in Administrator account should be renamed
Accounts given administrator privileges should be domain accounts so they can be managed according to the service account lifecycle policy and will conform to the University password complexity policy
Accounts given administrator privileges should be login restricted to that particular server or the logical group of systems supporting one application (e.g., high availability pairs)
Accounts with administrator privileges should not have an associated email box unless there is a specific, articulated business need for it and approved by the ISO
Accounts with administrator privileges should not be published in an online/public directory
Administrative account activity should be auditable to the specific individual using that account

Data classification: Public