Windows Server Administrator Accounts

ISO Position Paper

Position Title: Windows Server Administrator Accounts

Position Audience: Princeton IT Professionals

Contact: Information Security Office: InfoSec@princeton.edu

Position Release Date: March 20, 2018


Problem Statement

Because of the unique characteristics of Windows with respect to the native capability of single
sign on across systems, specific care needs to take place to prevent system compromise and
unintended data access.

ISO Position

Windows Server system administrator accounts should be managed to the following criteria:

  • Built-in Administrator account should be renamed
  • Accounts given administrator privileges should be domain accounts so they can be managed according to the service account lifecycle policy and will conform to the University password complexity policy
  • Accounts given administrator privileges should be login restricted to that particular server or the logical group of systems supporting one application (e.g., high availability pairs)
  • Accounts with administrator privileges should not have an associated email box unless there is a specific, articulated business need for it and approved by the ISO
  • Accounts with administrator privileges should not be published in an online/public directory
  • Administrative account activity should be auditable to the specific individual using that account

Data classification: Public