Administrator accounts are used by users to carry out tasks that require special permissions, such as installing software or renaming a computer. These Administrator accounts should be regularly audited — this should include a password change, and confirmation of who has access to these accounts. On a Windows network, there are several Security Groups that have high levels of access to various parts of the network. These groups should be audited regularly to ensure that there are no normal users as members, only Administrators.
The default groups are:. There may be other groups with high levels of access that have been manually created. These should be documented and added to the auditing process. There is another type of user account that has special access to parts of your network — the Service Account.
Service Accounts are user accounts that are used by software normally on a server to carry out automated tasks such as running backups, or managing your anti-virus administration. These services should never be set up to use Administrator account credentials — there should be at least one dedicated Service Account on your network. Windows has a default guest account called Guest. These guest accounts are the first port of call for criminal hackers and should be immediately and permanently disabled.
If a guest account is required, it should not have an obvious name such as Guest. These are the normal user accounts that are used by staff in their day-to-day work to log onto a computer and do their normal work.
They should not have any special permissions that could potentially lead to damage or data loss. These user accounts are normally members of a Security Group called Domain Users. In some cases, it is necessary to grant special or administrative permissions to users. This should be restricted to Local Admin access they are Administrators only on their own computers, and not on the Domain. These are similar to Domain accounts, but are limited to local access only.
And, if all this seems like more than you want to deal with, I'll also give you a hands-off option! So how does eliminating admin access prevent malware and other problems?
Simple: If the user cannot perform certain operations in the overall system due to limited access rights, the malware that tries to infect the system can't get in through that user's portal!
It's not a matter of trust—it's a matter of reducing the potential vulnerabilities or ways into your system for rogue applications, unwanted spyware, and other nasty infiltrators. Limiting admin-level access to necessary IT users helps ensure that your system stays as secure and controlled as possible. Don't click YES! No, actually! If you run across something that normally would require an Admin account, all you have to do is type in your Admin account password into the box that pops up automatically.
In my opinion every PC should have one account of each type installed even if only one person will be using the computer. A quick rundown of the differences between the two account types will make it easy to understand why I make this recommendation:. In a nutshell, a user logged into an account with Administrator privileges can do pretty much anything on the computer. And as you can imagine, that makes your system more secure. Unfortunately, you also have the ability to do things that you never really intended to do, some of which can cause major problems with the computer.
The Administrator account should only be used when a task absolutely has to be done that a Standard user account is prohibited from doing. During normal use it is always best to log in to a Standard account. And if more than one person will be using the same PC each user should have their own Standard account.
0コメント